Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HOLD for payment 2024-12-03] Add a step to to Request Physical Card form that collects a magic code #50967

Closed
NikkiWines opened this issue Oct 17, 2024 · 30 comments
Assignees
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. Daily KSv2 External Added to denote the issue can be worked on by a contributor

Comments

@NikkiWines
Copy link
Contributor

NikkiWines commented Oct 17, 2024

Problem

Someone can issue a physical or virtual Expensify card without verifying they are the owner of the account. This relates to an internal security issue.

Why this is important to solve

This is a security vulnerability that can be taken advantage of if an account is compromised.

Solution

Collect a magic code when requesting a physical Expensify card. In a little more detail:

  • The API command to be updated is here
  • It should have a new parameter called validateCode that is passed to the server
  • In order to do this, anything callling BaseGetPhysicalCard needs a new step to gather a magic code from the user (we should have existing components that can be reused for this)
Issue OwnerCurrent Issue Owner: @sakluger
@NikkiWines NikkiWines added External Added to denote the issue can be worked on by a contributor Weekly KSv2 Bug Something is broken. Auto assigns a BugZero manager. labels Oct 17, 2024
@melvin-bot melvin-bot bot added the Help Wanted Apply this label when an issue is open to proposals by contributors label Oct 17, 2024
Copy link

melvin-bot bot commented Oct 17, 2024

Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External)

@melvin-bot melvin-bot bot added Daily KSv2 and removed Weekly KSv2 labels Oct 17, 2024
Copy link

melvin-bot bot commented Oct 17, 2024

Triggered auto assignment to @sakluger (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

@NikkiWines
Copy link
Contributor Author

cc: @mountiny, sounds like from this we're still working on the re-usable component for requesting a validateCode, is that correct?

@hungvu193
Copy link
Contributor

Not sure why I'm getting notification for this issue but yeah we have an issue for this kind of flow. It's being worked on by @getusha in #49445.

@mountiny
Copy link
Contributor

correct, @getusha is working on the reusable component here #49445

@sakluger
Copy link
Contributor

Should we assign @getusha to this issue, or is this issue a duplicate, or do we still need someone else for this one?

@mountiny
Copy link
Contributor

I think we can, or @hungvu193 do you want to take on the implementation here?

@hungvu193
Copy link
Contributor

Ok, I can take it.

@melvin-bot melvin-bot bot removed the Help Wanted Apply this label when an issue is open to proposals by contributors label Oct 18, 2024
@mountiny mountiny self-assigned this Oct 18, 2024
@mountiny
Copy link
Contributor

Happy to help as CME

@hungvu193
Copy link
Contributor

Draft PR is here. It's based on #49445 so I will wait for #49445 to be merged.

@melvin-bot melvin-bot bot added the Overdue label Oct 20, 2024
@mountiny
Copy link
Contributor

Not overdue

@mountiny
Copy link
Contributor

The PR was merged, can you sync up with main and make the PR ready for a review @hungvu193? Thank you!

@hungvu193
Copy link
Contributor

Sure thing. Also @NikkiWines I noticed that currently we can pass any validate code and BE still returns success response. I think we still need to update BE right?

@NikkiWines
Copy link
Contributor Author

NikkiWines commented Oct 21, 2024

Yep, there's a backend change in the works, it's the last thing we'll update though so as to not break any front-end flows that still need changing

@hungvu193
Copy link
Contributor

hungvu193 commented Oct 21, 2024

Cool. I merged FE's PR with main, it's basically ready, only handling error left.

Copy link

melvin-bot bot commented Oct 21, 2024

@sakluger, @hungvu193, @mountiny, @situchan Whoops! This issue is 2 days overdue. Let's get this updated quick!

@situchan
Copy link
Contributor

Not overdue

@melvin-bot melvin-bot bot removed the Overdue label Oct 21, 2024
@hungvu193
Copy link
Contributor

Please let me know when BE is ready so I can update the FE's PR @NikkiWines

@NikkiWines
Copy link
Contributor Author

Will do! We're waiting on another PR but it's in the works

@melvin-bot melvin-bot bot added Reviewing Has a PR in review Weekly KSv2 and removed Daily KSv2 labels Oct 24, 2024
@NikkiWines
Copy link
Contributor Author

Ok, BE PR is ready, but let's get https://github.com/Expensify/App/pull/51135 reviewed and merged first so that we're passing the validateCode and the flow isn't disrupted by having the BE changes go live.

@situchan
Copy link
Contributor

situchan commented Nov 5, 2024

Please reassign another C+ as I'll be OOO

@situchan situchan removed their assignment Nov 5, 2024
@dominictb
Copy link
Contributor

I can take over this as per Slack discussion.

cc @mountiny

@NikkiWines NikkiWines self-assigned this Nov 12, 2024
@mountiny mountiny removed their assignment Nov 12, 2024
@melvin-bot melvin-bot bot added Weekly KSv2 Awaiting Payment Auto-added when associated PR is deployed to production and removed Weekly KSv2 labels Nov 26, 2024
@melvin-bot melvin-bot bot changed the title Add a step to to Request Physical Card form that collects a magic code [HOLD for payment 2024-12-03] Add a step to to Request Physical Card form that collects a magic code Nov 26, 2024
@melvin-bot melvin-bot bot removed the Reviewing Has a PR in review label Nov 26, 2024
Copy link

melvin-bot bot commented Nov 26, 2024

Reviewing label has been removed, please complete the "BugZero Checklist".

Copy link

melvin-bot bot commented Nov 26, 2024

The solution for this issue has been 🚀 deployed to production 🚀 in version 9.0.66-8 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

If no regressions arise, payment will be issued on 2024-12-03. 🎊

For reference, here are some details about the assignees on this issue:

  • @hungvu193 requires payment through NewDot Manual Requests
  • @dominictb requires payment (Needs manual offer from BZ)

Copy link

melvin-bot bot commented Nov 26, 2024

@hungvu193 / @dominictb @sakluger @hungvu193 / @dominictb The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed. Please copy/paste the BugZero Checklist from here into a new comment on this GH and complete it. If you have the K2 extension, you can simply click: [this button]

@dominictb
Copy link
Contributor

BugZero Checklist:

  • [Contributor] Classify the bug:
Bug classification

Source of bug:

  • 1a. Result of the original design (eg. a case wasn't considered)
  • 1b. Mistake during implementation
  • 1c. Backend bug
  • 1z. Other: New feature

Where bug was reported:

  • 2a. Reported on production
  • 2b. Reported on staging (deploy blocker)
  • 2c. Reported on both staging and production
  • 2d. Reported on a PR
  • 2z. Other:

Who reported the bug:

  • 3a. Expensify user
  • 3b. Expensify employee
  • 3c. Contributor
  • 3d. QA
  • 3z. Other:
  • [Contributor] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake.

    Link to comment: NA

  • [Contributor] If the regression was CRITICAL (e.g. interrupts a core flow) A discussion in #expensify-open-source has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner.

    Link to discussion: NA

  • [Contributor] If it was decided to create a regression test for the bug, please propose the regression test steps using the template below to ensure the same bug will not reach production again.

  • [BugZero Assignee] Create a GH issue for creating/updating the regression test once above steps have been agreed upon.

    Link to issue:

Regression Test Proposal

Precondition:

  • User is assigned a physical card.

Test:

  1. Log into an account with a physical card assigned
  2. Go to your Settings => Wallet.
  3. Click on your Physical card => Issue card.
  4. Enter all necessary information => Press Ship card.
  5. Verify that there's modal that allow you to enter magic code.
  6. Enter the magic code that's been sent to your login.
  7. Verify that you can continue with the flow after that.

Do we agree 👍 or 👎

@sakluger
Copy link
Contributor

sakluger commented Dec 2, 2024

@dominictb I sent you an offer through Upwork: https://www.upwork.com/nx/wm/offer/105165129

@melvin-bot melvin-bot bot added Daily KSv2 and removed Weekly KSv2 labels Dec 3, 2024
Copy link

melvin-bot bot commented Dec 3, 2024

Payment Summary

Upwork Job

BugZero Checklist (@sakluger)

  • I have verified the correct assignees and roles are listed above and updated the neccesary manual offers
  • I have verified that there are no duplicate or incorrect contracts on Upwork for this job (https://www.upwork.com/ab/applicants//hired)
  • I have paid out the Upwork contracts or cancelled the ones that are incorrect
  • I have verified the payment summary above is correct

@sakluger
Copy link
Contributor

sakluger commented Dec 3, 2024

@hungvu193 please request payment using the payment summary comment above.

@sakluger sakluger closed this as completed Dec 3, 2024
@garrettmknight
Copy link
Contributor

$250 approved for @hungvu193

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. Daily KSv2 External Added to denote the issue can be worked on by a contributor
Projects
None yet
Development

No branches or pull requests

7 participants