Skip to content

Fix: College input validation bypass via state mismatch (Issue #264)#328

Open
Adi-Marathe wants to merge 1 commit into
indresh404:mainfrom
Adi-Marathe:fix/issue-264-college-validation
Open

Fix: College input validation bypass via state mismatch (Issue #264)#328
Adi-Marathe wants to merge 1 commit into
indresh404:mainfrom
Adi-Marathe:fix/issue-264-college-validation

Conversation

@Adi-Marathe
Copy link
Copy Markdown
Contributor

@Adi-Marathe Adi-Marathe commented Jun 4, 2026
edited
Loading

Fixes #264

Description

This pull request addresses a high-severity security/validation bug where users could bypass the college selection validation by manipulating the search input. Previously, the form only validated the selectedCollege state, allowing a user to manually type an invalid college name in the search input while selectedCollege held a valid (or empty) value. This allowed invalid college entries to pass validation and be stored in the database.

Changes Made

  • Added a strict equality check (collegeSearch !== selectedCollege) during form submission in src/pages/Onboarding.jsx.
  • If a user types a custom college name that does not match their dropdown selection, the form will correctly block submission and prompt the user to select a valid college from the searchable dropdown list.

Proof of Fix

Before Fix

  • Scenario: User selects "Mumbai University" from the dropdown. selectedCollege = "Mumbai University", collegeSearch = "Mumbai University".
  • User then manually types "Fake University" in the search box.
  • collegeSearch = "Fake University", but selectedCollege = "Mumbai University".
  • Result: The form submits successfully, saving a mismatched or unintended value, polluting the database.

After Fix

  • Scenario: User selects "Mumbai University" from the dropdown.
  • User then manually types "Fake University" in the search box.
  • When they click submit, the form checks collegeSearch !== selectedCollege.
  • Since "Fake University" !== "Mumbai University", validation fails correctly.
  • Result: The user sees the error message "Please select a valid college from the searchable dropdown list." and the form submission is blocked.

This effectively ensures that only valid, explicitly selected items from the dropdown (or properly typed "Other" entries) can ever be submitted to the Firestore database.

Closes: #264

@Adi-Marathe Adi-Marathe requested a review from indresh404 as a code owner June 4, 2026 13:44
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ranker-hub Ready Ready Preview, Comment Jun 4, 2026 1:44pm

@github-actions github-actions Bot added backend Backend/Firebase related changes bug Something isn't working enhancement New feature or request frontend Frontend related changes (HTML/CSS/JS/React) gssoc GirlScript Summer of Code gssoc26 GirlScript Summer of Code 2026 nsoc NSoC NSoC'26 NSoC 2026 pending-review PR is pending review labels Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@indresh404 indresh404 Awaiting requested review from indresh404 indresh404 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Adi-Marathe Adi-Marathe

Labels

backend Backend/Firebase related changes bug Something isn't working enhancement New feature or request frontend Frontend related changes (HTML/CSS/JS/React) gssoc GirlScript Summer of Code gssoc26 GirlScript Summer of Code 2026 nsoc NSoC NSoC'26 NSoC 2026 pending-review PR is pending review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: College Input Validation Bypass via State Mismatch

1 participant

@Adi-Marathe