Project Details
arena
solutionbowl/arena · Bitbucket · Default branch main
Security Findings
Low security scores and security-related AI review notes.
| Commit | Security Score | Finding | Date |
|---|---|---|---|
| 9d5138d3 | 60 | The commit adds wagering progress display in the profile header and withdraw step components, including user state synchronization via AuthService. It improves user experience but has some quality and security risks due to possible incomplete or unclear implementations and a typo in the commit message. | 27 Feb 2026 |
| 1a39df8f | 50 | The commit introduces fetching user data on mount in two components and adds a wagering progress bar UI. However, user data properties used for wagering are placeholder and may not match actual structure leading to potential runtime issues. The security and bug risk are moderate due to reliance on external AuthService and lack of error handling. The commit message is unclear and non-descriptive. | 27 Feb 2026 |
| 056a1b4c | 60 | The commit introduces UI components and minor script updates including adding a robots meta tag conditionally and using UTM parameters for cookies. The components have consistent styling and UX elements like dropdowns and balance displays, enhancing user interaction. There is some risk of stale or improperly set meta tags due to the conditional and no cleanup logic. Console logging remains, which is undesirable in production code. UTM cookie handling lacks validation or expiration checks other than a static 30-day expiry. Overall, the changes provide business value through better tracking and UI updates, but some areas could improve in robustness, security, and cleanliness. | 09 Mar 2026 |
| be611368 | 30 | This commit adds push notification analytics calls at various points in wallet-related pages for deposit and withdrawal processes. While this adds business value for tracking user actions, there are security and bug risks since sensitive bank account details are sent in push notifications, and some data sanitization or encryption is missing. The commit message is uninformative. Some UI text changes are included that improve UX. | 12 Mar 2026 |
| 6a980973 | 30 | This commit integrates 'sendExtrampush' tracking events into wallet withdrawal and deposit flows, likely improving analytics and business insights. However, there is a likely typo in the event payload key 'ifsc_code' incorrectly labeled as 'ifsc', and potential exposure of sensitive bank details in tracking events raises security concerns. The commit message is vague and uninformative, reducing clarity on what changes have been merged. | 12 Mar 2026 |
| 39d63964 | 60 | The commit integrates additional event tracking calls across wallet deposit and withdrawal flows using extrampush. Minor UI tweaks and conditional rendering are present in BonusCard and WithdrawStep1 components. However, a significant security concern arises from sending sensitive bank account details (account number, IFSC) in an event logging call, which poses privacy risks. The commit message is generic and uninformative. | 12 Mar 2026 |
| 29bf6fa8 | 30 | The commit adds new UI components and logic related to bonuses and user bonuses, along with integration of extrampush notifications in wallet operations. However, there are inconsistencies such as a clear typo in object keys that can lead to bugs ('ifsc_code' key is misspelled as 'ifsc' in the extrampush call). The commit message is non-descriptive and lacks meaningful information. Also, some logs (console.log) remain which are not ideal in production code. The business-related UI improvements and notification integrations add value, but there is moderate bug risk and security concerns due to handling of potentially sensitive banking details in push notifications without clear sanitization or security considerations. | 13 Mar 2026 |
| a5165e23 | 40 | The commit appears to relate to a correction for bank account length 0 issues in the WithdrawStep1.tsx file. However, the changes mainly consist of added UI elements and styling with limited explicit logic addressing the bank account length validation. There is also a lack of clear comments or tests ensuring the fix is comprehensive. The commit message is vague and does not describe what was changed or how it fixes the issue, reducing overall clarity and reviewability. | 20 Mar 2026 |
| 65a60b2a | 50 | The commit merges code including UI changes for withdrawal amount input with validation and bank fetching error handling. Improvements are needed in input validation, error handling, and code clarity. The bug risk is moderate due to limited input validation and unclear handling of empty bank accounts. | 20 Mar 2026 |
| c8049cb5 | 30 | The commit merges a branch containing a component for a wallet withdrawal step with UI components and Redux state linkage. However, the commit message is uninformative, lacking detail about changes or motivation. There are commented-out code lines indicating possibly incomplete or uncleaned work. Error handling is minimal, only logging errors without user feedback or retry mechanisms. The code allows only digit inputs for withdrawal amounts, but does not check upper limits or invalid zero-length inputs robustly. The security concerns are elevated since withdrawal operations require strong validation and error handling. Style and layout code seem standard but could be modularized. | 23 Mar 2026 |
| fc8b1b8d | 30 | The commit introduces encryption utilities for sensitive data like phone numbers and integrates these into authentication components. The addition of crypto-js dependency and usage of SHA256 for key and IV derivation improves security over plain text but is undermined by hard-coded default keys and IVs, posing a security risk if environment variables are not set. There is also a minor typo in one file (`contryCode` vs `countryCode`) which may lead to bugs. The overall code integration adds business value by encrypting sensitive user data but needs improvement in secure key management. The commit message is generic and uninformative. | 23 Mar 2026 |
| aca55a55 | 50 | The commit adds support for a 'provider' parameter from URL params, stores it in a cookie, and utilizes it in login and signup flows. This enhances tracking and attribution capabilities which has business value. However, the commit message is too minimal and uninformative. There is no apparent validation or sanitization of the 'provider' parameter, which could pose a security risk. The code repetition in accessing cookies and URL params might be reduced for better maintainability. | 20 Feb 2026 |
| 23b68cb2 | 40 | This commit adds handling and propagation of a 'provider' parameter through URL params, cookies, and auth service, improving tracking and potentially user experience. However, the security implications of storing the 'provider' in cookies are not addressed, and there is a risk of inconsistent or missing 'provider' values leading to bugs. The commit message lacks detail, making it harder to understand the purpose of the changes. | 20 Feb 2026 |
| 4b3690be | 40 | This commit merges a test pull request that adds handling of 'provider' in URL parameters and cookies, updates Auth and SignUp pages to handle this new parameter, and includes substantial CSS styling additions. While functionality for handling provider parameter improves tracking and potentially business analytics, the commit message and code lack context and clarity. Multiple CSS changes increase UI quality but do not affect application logic. | 20 Feb 2026 |
| 6312d677 | 50 | The commit introduces Toast alerting on error response in WalletDrawer component, but the commit message is non-descriptive and the code addition is minimal and not well formatted. | 25 Feb 2026 |
| 7ab8fabf | 50 | The commit introduces a small code snippet that handles an error case by showing an alert. However, the changes are minimal, lack context, and have formatting issues. The commit message is vague and uninformative, making it difficult to understand the purpose or impact of the changes. | 25 Feb 2026 |
| bf9bf9fd | 80 | The commit attempts to fix a toLocaleString issue by correctly applying it to numeric values. However, unnecessary logging and potential missing dependencies in useEffect reduce code quality. The business impact is moderate as it improves UI display but lacks unit tests and proper error handling. Security is not a major concern here but could improve with better data validation. | 27 Feb 2026 |
| 08fb65f9 | 95 | The commit addresses the formatting of monetary amounts using toLocaleString for better number display consistency across the app. This improves user experience and code uniformity. The changes touched multiple components presenting amounts. There is minimal bug risk and no known security implications. Business value is positive as correct display of amounts is essential. Fake work risk is low since the changes are concrete and meaningful. | 27 Feb 2026 |
| 31f0bd16 | 90 | This commit fixes the usage of toLocaleString for number formatting throughout various UI components. It improves display of localized numbers for amounts and balances, enhancing user experience and correctness. The implementation appears consistent and well-integrated. Since it focuses on UI formatting, it has moderate business value and low bug risk. There are no visible security concerns or fake work indications. | 27 Feb 2026 |
| 4ab63193 | 60 | The commit fixes potential NaN display issues by adding checks and fallbacks, improving UI robustness. However, use of console.log and missing context on error handling impact quality and security. Commit message is vague. | 27 Feb 2026 |
| 364c4864 | 50 | The commit adds NaN correction handling for wagering progress and formats numbers for display, which improves the user interface reliability. However, a console.log statement remains in production code, which lowers code quality and security score. The error handling with toast alert improves user feedback but could be more consistent. | 27 Feb 2026 |
| 8301abb7 | 40 | The commit adds a conditional meta tag injection for 'noindex,nofollow' based on an environment variable. This helps prevent indexing in staging environments but uses client-side script injection, which might be less reliable. | 02 Mar 2026 |
| d619f386 | 50 | The commit updates how toast error messages are shown in the wallet drawer by calling toast?.showAlert with an empty title and a response message. However, the empty title may reduce clarity, and there's limited context about error handling. | 02 Mar 2026 |
| 21c36bf4 | 60 | Adds a noindex meta tag based on environment variable and updates toast error message usage in the wallet drawer component. The quality is moderate due to unclear toast usage and missing error label. Business value is limited to minor UI feedback improvement. | 02 Mar 2026 |
| 2955e87b | 50 | This commit adds a toast notification for a withdrawal operation failure, but the change lacks detailed error handling and proper formatting, reducing overall code quality and clarity. | 03 Mar 2026 |
| a55d954c | 50 | The changes introduce a toast alert on a withdrawal operation's response with minimal context and no error handling. The commit message is vague and does not clarify what exactly was fixed. | 03 Mar 2026 |
| aa25e773 | 20 | This commit is a merge commit with no actual code changes shown. It likely merges updates from the main branch into a feature branch. | 20 Mar 2026 |
| f8f42b0e | 60 | The commit adds a 'parentProvider' parameter to user OTP verification flow by passing it through URL parameters, cookies, and service interfaces. This likely improves the business value by enabling parent provider tracking or related features during authentication. However, there is moderate bug risk and security risk as the parameter is stored in cookies, potentially without validation or sanitization, which might lead to security vulnerabilities or bugs. The changes appear genuine but somewhat minimal and straightforward. | 20 Mar 2026 |
| f2bb8ecb | 40 | Added handling of 'parentProvider' parameter in various parts of the authentication flow, including setting it in cookies and passing it in login/signup requests. This adds some new capability but lacks validation, error handling, and documentation. | 20 Mar 2026 |
| dea1f1d0 | 40 | This commit adds user phone number handling by combining country code and phone, and attempts to send it via an external push function. It also adds an optional countryCode property to the user type definition. However, the commit message is unclear, and the implementation lacks validation or error handling, which could introduce bugs or security risks. | 20 Mar 2026 |
| 6ee8f7fe | 40 | The commit adds handling of the 'parentProvider' parameter via cookies and passes it through authentication-related components and services. The changes improve the tracking of referral/source information but have minor issues in commit message clarity and lack of validation/security enhancements. | 20 Mar 2026 |
| f0070233 | 20 | The commit attempts to use the user's phone number by concatenating countryCode and phone, then sends this information to an external push notification service. However, it lacks validation, error handling, and does not handle privacy or security concerns. | 20 Mar 2026 |
| 8c0877e3 | 40 | The commit adds handling of a phone number by concatenating country code and phone, and sending it to an external push function. The countryCode field was also added as optional in types. There is potential null/undefined access without validation, and weak typing of phone number input. The commit message is a standard merge with no useful information. | 20 Mar 2026 |
| 4a2c97d8 | 70 | The commit adds a console error logging on a fetch failure in WithdrawStep1.tsx, but the commit message is poor and uninformative. The code improvement is minimal, and the error handling could be enhanced for better reliability. | 20 Mar 2026 |
| a004ed30 | 40 | This commit adds encryption functionality using the crypto-js library for sensitive data handling, which improves data security and business value. However, the encryption key and IV are derived from environment variables with fallbacks to hardcoded secrets, which is insecure. The key and IV processing seem incorrect and do not adhere to standard AES key/IV length requirements. Additionally, there is a typo in the Registation.tsx file (variable 'contryCode') that may cause runtime bugs. The commit message is a misspelling and lacks detail. | 23 Mar 2026 |
| 806b9cef | 30 | This commit adds a Terms and Conditions link to the registration page with a simple hover effect. The code change is straightforward but does not introduce significant new functionality or security measures. The commit message is misspelled and does not accurately describe the change. | 23 Mar 2026 |