fix: apply --url can submit to a completely different job than the one targeted#65
Open
sebastianmukuria wants to merge 1 commit into
Open
Conversation
acquire_job's target-url fallback stripped the query string to build its LIKE pattern -- but on indeed/linkedin the query string IS the job identity (?jk=, currentJobId=). The pattern '%indeed.com/viewjob%' matched every indeed job in the DB, and LIMIT 1 then applied to an arbitrary one: clicking apply for one posting could fill out a completely different company's application (observed in the wild: targeting one indeed job ran another company's job twice). Now: exact match on url/application_url first; the only fallback is a LIKE for scheme/trailing-slash variants of the SAME url with the query string preserved; no match returns None instead of someone else's job. Three regression tests included. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug
acquire_job's target-url lookup builds its fallback LIKE pattern by stripping the query string:On indeed and linkedin the query string is the job identity (
?jk=…,currentJobId=…), so the pattern collapses to%indeed.com/viewjob%— which matches every indeed job in the database. Since the exact and LIKE conditions are OR'd in one query withLIMIT 1and no ORDER BY, SQLite returns an arbitrary matching row.Impact: running
applypilot apply --url <job A>can silently select job B and submit the candidate's application to a different company. Observed in the wild: targeting one indeed posting ran a different company's application twice in a row.The fix
url/application_urlfirst.None(the caller reports no job found), never someone else's job.Three regression tests included (
tests/test_target_url_match.py): query-string identity is respected, unknown URLs returnNonerather than falling back, and scheme/trailing-slash variants still resolve.🤖 Generated with Claude Code