Just a quick one: be wary of silent truncation in SQL databases.
In this case, I discovered that when adding email domains to FastMail, it was possible to bypass the ownership check for existing domains.
For example, if you only own
id-rsa.pub, somebody else owns
microsoft.com, and you try to add
However, if you know (or can guess!) that the database column is only 255 characters, then you can try add add a value where the domain falls on the truncation boundary:
It will pass the ownership check (because you own
id-rsa.pub), but the value stored to the database will be a completely different eTLD+1:
And the database driver did not even warn you about it. Whoops!
- Enforce length limits on both the front-end and back-end.
- Be sure your columns are at least as long as your length limits.
I reported this issue to FastMail.com on 2018-01-01 and received a notification within 22 hours (issue fixed), awarding a $100USD bug bounty and mention in the hall of fame.