Can you find the bug in this piece of code? – RegExp edition 🌍

Hey there! 👋

I’m back with another installment of Find the bug, this time with Typescript/Javascript. Regular expressions are useful, but can behave in some unexpected ways. Can you tell me what the code below will output and what the cause for it is?



!! Don’t look at the comments to prevent spoilers if you want to solve it by yourself !!

Buggy code

const TEST_REGEXP = /[a-z0-9]+_[a-z0-9]+/gi;

function isValidName(value: any) 
    if (typeof value !== 'string') return false;

    return TEST_REGEXP.test(value);


const filenames = [
  "test_1",
  "test_1",
  "test_2",
  "other_test",
  "some_file"
];

for (let name of filenames) 
    console.log(isValidName(name));



 Now then, can you find the bug?


Source link

Can you find the bug in this piece of php code?

Hey there! 👋

I was doing a bit of bug-hunting in an old project of mine when I found an interesting bug. Can you find it?

If you know your security or PHP this might be quite easy for you. Otherwise, it might be a good exercise.



!! Don’t look at the comments to prevent spoilers if you want to solve it by yourself !!

This is the request you would make to the server:

curl --location --request POST 'https://super.secure-api.com/check-pin' 
    --header 'Content-Type: application/json' 
    --header 'Authorization: Bearer <token>' 
    --data-raw '
      "pin": <you_answer>
    '

And this is the code for that given endpoint (/check-pin)

if(params['pin'] != $user->getPin()) 
  throw new HttpException(403, "The pin is incorrect");


return "The pin is correct!";

PD: This is just a demo, not real code. You should never check passwords/pins/secrets like this.



What input would you need to pass as pin to be able to bypass the check?

I will release a post in a couple of days explaining the bug in detail and how to fix it.


Source link