Skip to content

Prevent filtering by any creator ID or email in process list

Sentry Issue: ARKINDEX-FRONTEND-9CT

Error: Request failed with status code 400
  at call (./js/api.js:221:66)
  at l (None:97:16)
  at a (None:97:16)
  at d/</< (None:97:16)
  at d/< (None:97:16)
...
(35 additional frame(s) were not displayed)

The frontend process list only offers two options to filter by creator:

  • My processes: filter by your own user ID
  • All processes: don't filter by creator

Using My processes adds &creator=X to the URL, where X is the current user's ID. But nothing stops someone from typing anything instead, causing unhandled 400 errors, or testing other user IDs.

The frontend should sanitize this input, either by changing the URL params to only include &mine=true instead of the creator, or by removing the query parameter when it is not set to the current user's ID.