Not sure if this is a wider issue or not...

This is in Chrome 43.0.2357.134, Mac OSX 10.10.3

There's a .__init__.py file in retirement_api/utils. Can it be removed?

Regular Expression Denial of Service

High severity
Vulnerable module: minimatch
Detailed paths

Introduced through: retirement@cfpb/retirement#ebcfc7198ec2a9d390ea7f884a931f25dffe1646 ›
[email protected] › [email protected] › [email protected] › [email protected]
Introduced through: retirement@cfpb/retirement#ebcfc7198ec2a9d390ea7f884a931f25dffe1646 ›

minimatch is a minimalistic matching library used for converting glob expressions into JavaScript RegExp objects.

An attacker can provide a long value to the minimatch function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time."

The team came up with the following hypothesis for our first round of testing (that could potentially flow through to further rounds):

If we present a simple UI that progressively inquires for information a little at a time,
Then consumers will become engaged in the process of learning more about their own retirement.

Other questions that the team brought up to answer: (go ahead and comment to add more, guys!)

• Is this step by step website how people in our target age group (50 - 62) want to engage in a digital product?
• Do people think about retirement?
• How are users creating their retirement plans?

Our first test script will also be added to this thread, for review/revision/refinement/whatever.

Somehow the tool is not prorating the monthly increase after FRA for cases of people who are past their FRA. For example someone who is age 69 and 11 months, should see the benefit increase at age 70 (one month later) by only (.006666666) (that is 2/3 of 1%). Therefore, in the attached example of someone born 1/1/1946 the value for age 70 should be $1,854 rather $1,989 than a full 8% as shown.

Looks like the HTML coming back from Social Security broke (also broken on the live production site). Seems that the HTML coming back from the request is no longer complete (cuts off after the commented out table), so the data points searched for in the HTML are not found.

The tool is non-functional in IE8. After clicking "Get your estimates", here's what I see:

Here are the reported JS errors:

Message: Invalid argument.
Line: 11
Char: 24781
Code: 0
URI: http://www.consumerfinance.gov/static/retirement/js/raphael-min.js

Message: Object doesn't support this property or method
Line: 489
Char: 5
Code: 0
URI: http://www.consumerfinance.gov/static/retirement/js/claiming-social-security.js

Message: Script error
Line: 0
Char: 0
Code: 0
URI: http://www.googletagmanager.com/gtm.js?id=GTM-KMMLRS

Message: Script error
Line: 0
Char: 0
Code: 0
URI: http://www.googletagmanager.com/gtm.js?id=GTM-KMMLRS

Message: Script error
Line: 0
Char: 0
Code: 0
URI: http://www.googletagmanager.com/gtm.js?id=GTM-KMMLRS

Message: Script error
Line: 0
Char: 0
Code: 0
URI: http://www.googletagmanager.com/gtm.js?id=GTM-KMMLRS

Message: Failed
Line: 11
Char: 20441
Code: 0
URI: http://www.consumerfinance.gov/static/retirement/js/raphael-min.js

Message: Failed
Line: 11
Char: 20441
Code: 0
URI: http://www.consumerfinance.gov/static/retirement/js/raphael-min.js

Message: Script error
Line: 0
Char: 0
Code: 0
URI: http://www.googletagmanager.com/gtm.js?id=GTM-KMMLRS

I see lots of good stuff going on in here,, feel free to ask me or the software delivery team if you need help setting up browser, API, performance tests, we're more than glad to help you get started :)

We'll start setting up BDD security testing for this project soon.

There are already tests for bad responses from SSA in the retirement_api.utils package, but there do not appear to be any tests further up the stack. How to the views handle it? What's that look like client-side?

This could simply be a "they are" and close the issue, but I just want to be sure. The screen scraping is scary (and I know it's scary to you too, @higs4281).

The browser tests test for the results of entering age/salary/etc data, but do not currently test for the results of user selections in the decision tree that follows.

Hey FPO,

There's a small issue in the footer, where extra code for .cf-icon shrinks all the icons we have the footer. Ideally those styles should be coming in from Capital Framework and any non-standard sizing should be handled through another class to not conflict with other .cf-icons. Deleting this line should fix the issue, but L1103-1111 could be removed to have Capital Framework handle any future changes.

Current behavior

Viewable at http://beta.consumerfinance.gov/retirement/before-you-claim/

Expected behavior

Can you fix it?

@niqjohnson @mistergone 🙏

Django Rest Framework is listed as a requirement in requirements.txt and will be installed by pip, but it's not being used. Can we remove it?

Entering an invalid date such as February 29, 1952 returns a 500 error from the API:

http://www.consumerfinance.gov/retirement/retirement-api/estimator/2-29-1952/10000/

The frontend just spins indefinitely with no indication that the input was invalid:

Expected behavior is that the API should return a 400 Bad Request (to be consistent with handling of other invalid inputs) and that some kind of error should be reflected in the UI.

Please include screenshot.png in the root of the repo with ![Screenshot](screenshot.png) at the top of the Readme.md per https://github.com/cfpb/open-source-project-template direction.

Yay retirement repo! Let's start talking about our initial ideas/sketches for what this thing might be. I'll start with some of my rough sketches and a few other ideas I've been thinking about.

Excited to hear feedback and see everyone's ideas!

Sketches

Age sliders

The first of three variations on a theme.

This concept starts off with two visualizations that compare retirement income if you claim Social Security at two different ages. This visualization can either be generic or generated from your inputs of age, income, savings, expected claiming age, etc. Initially, the visualization on the left is for a later claiming age, and the one on the right is for an earlier claiming age. We might think about including things like survivor benefits in this comparison to get you thinking about some uncomfortable facts that you might otherwise ignore (i.e. you die before your spouse).

Following that is one or more stories (either fictional or from real people) that present the claiming decision from an outside perspective.

Last, there are alternative claiming scenarios/action steps you can take to claim later if you want to.

Category comparisons

The second of three variations on a theme.

This has a lot of elements from the concept above, but they're more granular (Social Security income is broken out from personal savings) and explicitly compared.

Also, this concept compares lots of factors other than income that may have a bearing on your decision of when to claim: free time, declining health, etc. The examples in this concept now are mostly made up, but the idea is that your claiming decision is going to be based on more than just a Spock-like assessment of when is most financially logical.

See the effects

The third of three variations on a theme.

Here, a lot of the same visualizations are present from the first two concepts, but they're all overlaid on each other to give a more integrated view of your post-retirement finances. Again, this visualization may be generic or may take into account user inputs we decide to as for. As always, non-optimal claiming choices are framed as losses rather than optimal choices being framed as gains.

Following the One Graph to Rule Them All are alternate strategies that you can explore. Hitting that "see the effect" button will shift your graph to see what, say, claiming later will do for you.

This concept ends with stories from other people, again to help bring an outside perspective to the claiming decision and as a way for us to gently prompt you to think about what will happen to your plan if it doesn't go as planned (hey-o!).

Giant timeline

A totally different approach from the first three concepts, this one pretty much requires you to put in some basic info in a previous step. From that info we whip up a timeline of your financial life from today through the great unknown showing expected income, expenses, and places where you might be leaving "money on the table." Your inputs are shown above the timeline and could be sticky so that you can see how changing an input might change your timeline.

Alongside that timeline are action steps around how you can change your financial future (claim later, work longer, pay off debt now, etc.) with links to more information, as needed.

After your timeline are alternate timelines that give you options you might not have thought of.

Action steps

This concept ditches a single, large visualization for a series of smaller ones and is much more focused on action items to change your claiming strategy rather than a graph of your retirement finances.

Like the previous concept, this one depends on collecting input on your current situation as a first step. From there, though, the output is organized into action items you can take to optimize your claiming strategy. Each step would have a little visualization with it to show how implementing the item would change your plan. We could have a repository of lots of different action items and only show the, say, three most relevant to each user.

This might be a good concept to explore if we want to move away from gathering the standard info (age, income, etc.) in the first step and instead want to focus on questions that get more at why you may want to claim early, like "are you worried about being forced into retirement by a layoff?" or "do you expect to retire early because of health concerns?" The action items could be a good way to start addressing those reasons for not claiming optimally (this idea comes from Melissa's research, "According to EBRI's (2006) report, 38 percent of individuals reported retiring early; although 39 percent of early retirees surveyed said they did so because they could afford to, 24 percent reported that they wanted to do something else and 22 percent indicated that they retired early for family reasons. If individuals in those latter two groups have little personal retirement savings and no pension, they will quite likely claim Social Security benefits upon retiring." http://www.ssa.gov/policy/docs/ssb/v71n4/v71n4p15.html)

Just wait!

This concept came from an offhand comment I made after a meeting that maybe our MVP is a single web page that says "Just wait six months!"

What if we actually structure the tool that way, though? You come to the tool, tell us when you're thinking of claiming and how long you might be willing to hold off (or another consideration that might impact your claiming strategy, like a layoff or sick spouse), and we show you what would happen. You'd have the option of entering more information about your specific situation to get a really customized report. We'd also give you action items on how you can fit whatever event you've selected into your retirement plan.

Affective forecasts

This concept is heavily influenced by the "Predicting Future Happiness" section at http://www.ssa.gov/policy/docs/ssb/v71n4/v71n4p15.html. Basically, humans are terrible at accurately predicting how they'll feel in the future, so we'll help them out by asking (sometimes pointed) questions that could affect their decision of how to claim. We'll provide feedback based on their answers.

The sketch has all the questions and feedback on a single page, but questions could come on one page, followed by feedback on the next.

Other ideas

• One-month graph view instead of multi-year graph to focus in on a single, representative month and prevent information overload
• Play with sliders to see how changing inputs affects outputs

There are several numbers in the ss_calculator.py file that are undocumented, and it's unclear what their meaning is. Can we document them, so that someone coming to the project in the future can understand what's going on here?

Spanish page title shows up as half English and half Spanish
http://www.consumerfinance.gov/retirement/before-you-claim/es/

it appears as "Before You Claim | Oficina para la Protección Financiera del Consumidor"

the "Before You Claim" portion should probably also be translated to Español

I'm thinking that the YYYY place holder should be AAAA for Español readers. See current place holder below:

I noted on /utils/ss_calculator.py and ss_update_stats that you are importing lxml. Using lxml to parse untrusted XML data is known to be vulnerable to XML attacks. Perhaps you could replace lxml with the equivilent defusedxml package.

Hello Team,
I have reviewed the source codes and found few security issues that I would like to discuss with anyone available.

This only happens when I set my browser zoom higher than 100%.
The attached screenshot is with 110% browser zoom on Chrome

In the tests for the Django queries, can we assert something more than that they return lists? That just ensures that the Django query API works.