QA Exercise 6

Exercise · Bug Hunt (File Uploader & Image Preview)

QA · Hands-on

Upload files, preview images, and start a mock upload. Find defects in validation, progress, and security using STR → Expected vs Actual → Severity/Priority → Recommendation.

Intentionally buggy: any file type allowed, size check wrong, filename rendered unsafely, progress jumps or exceeds 100%, cancel doesn’t stop, “Remove” deletes the wrong row, total size desyncs, duplicate names overwrite.

Choose files

or drag & drop files here

Tip: try an image, a large file, and rename one to include <script> in the filename.

Total: 0 MB

🎯 Instructions (Oral) task flow

Add several files including a non-image (e.g., .exe or .zip) and a large file; duplicate a filename.
Rename one file so the name contains HTML-like text (e.g., <b>bold</b>.png) and observe the preview row.
Start upload; watch progress bars jump, exceed 100%, or finish instantly; click Cancel and note if it actually stops.
Click Remove on a row; check which row is removed and whether total size updates correctly.
Present your spoken bug report: Title → Steps to Reproduce → Expected vs Actual → Severity/Priority → Recommendation.

📖 Vocabulary definitions

client-side validation — checks performed in the browser before sending data.
server-side validation — authoritative checks on the server after upload.
content type (MIME) — the declared type of a file (e.g., image/png).
extension spoofing — misleading the app by renaming a file’s extension.
progress reporting — UI feedback indicating upload percentage.
idempotent — repeated actions produce the same outcome (e.g., cancel reliably stops uploads).
sanitize / escape — render text safely so markup isn’t executed.
quota — the maximum allowed size or number of files per upload.

🧩 Collocations natural pairings

enforce file types / reject disallowed extensions
verify MIME type / detect spoofed files
cap total size / validate per-file limits
update progress / handle cancellation
escape filenames / sanitize previews

🗣️ Idioms & Phrasal Verbs natural speech

slip through — get accepted when it shouldn’t: “Executable files slip through.”
paper over — hide without fixing: “Fake progress papers over failures.”
lock down — secure tightly: “We need to lock down filename rendering.”
line up with — match: “Totals don’t line up with the actual bytes.”
track down — find the root cause: “Track down the off-by-one in delete.”

🎤 Model Answer (spoken style) example

Bug title: Uploader accepts unsafe files, renders unescaped filenames, and progress/cancel logic is unreliable; removing a file deletes the wrong row and totals desync.

Steps to reproduce: Add a .exe and a large file; add two images with the same name; rename one to <b>bold</b>.png. Start upload, then click Cancel. Click Remove on the first row and observe which row disappears. Check total size.

Expected result: Disallowed types rejected; accurate per-file size checks; filenames escaped; progress increments consistently 0–100% and cancel stops reliably; remove targets the clicked file; totals recomputed exactly.

Actual result: Executables accepted; weak size check; filename markup renders; progress jumps and exceeds 100%; cancel doesn’t stop; remove deletes the next row; total size is sometimes stale.

Severity / Priority: Critical for security (P0) + Major for UX (P1) — unsafe files and XSS risk.

Recommendation: Enforce allowlist (image/*, etc.) with server-side MIME verification, cap size with precise bytes, escape filename text, make cancel idempotent, map actions via stable IDs (not indices), and recompute totals from state after each mutation.