-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HOLD for payment 2024-12-05] [$250] Require magic code validation for SetPersonalDetailsAndShipExpensifyCards #52316
Comments
Triggered auto assignment to @JmillsExpensify ( |
Job added to Upwork: https://www.upwork.com/jobs/~021856002885580948055 |
Triggered auto assignment to Contributor-plus team member for initial proposal review - @rushatgabhane ( |
Edited by proposal-police: This proposal was edited at 2024-11-11 16:15:02 UTC. ProposalPlease re-state the problem that we are trying to solve in this issue.Require magic code validation for SetPersonalDetailsAndShipExpensifyCards What is the root cause of that problem?This is a new feature request What changes do you think we should make in order to solve the problem?
What alternative solutions did you explore? (Optional) |
This is straight forward implementation issue. let's hire @nkdengineer 🎀 👀 🎀 |
Triggered auto assignment to @lakchote, see https://stackoverflow.com/c/expensify/questions/7972 for more details. |
Moving forward with @nkdengineer, thank you @rushatgabhane!! |
📣 @nkdengineer 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app! Offer link |
|
The solution for this issue has been 🚀 deployed to production 🚀 in version 9.0.67-9 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue: If no regressions arise, payment will be issued on 2024-12-05. 🎊 For reference, here are some details about the assignees on this issue:
|
@rushatgabhane @JmillsExpensify @rushatgabhane The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed. Please copy/paste the BugZero Checklist from here into a new comment on this GH and complete it. If you have the K2 extension, you can simply click: [this button] |
ChecklistNot a bug. New feature. So we should add a regression test
|
Payment summary:
|
@rushatgabhane please submit via New Expensify. Contributor paid via Upwork and regression test created. |
$250 approved for @rushatgabhane |
Problem
Someone can issue multiple physical expensify cards on behalf of a domain without verifying they are actually the owner of the account. This relates to an internal security issue.
Why this is important to solve
This is a security vulnerability that can be taken advantage of if an account is compromised.
Solution
Collect a magic code when requesting a physical Expensify card. In a little more detail:
validateCode
that is passed to the serverupdatePersonalDetailsAndShipExpensifyCards
needs a new step to gather a magic code from the user with the ValidateCodeActionModal component from this PR.Upwork Automation - Do Not Edit
Issue Owner
Current Issue Owner: @JmillsExpensifyThe text was updated successfully, but these errors were encountered: