Project Details
xellion-frontend
solutionbowl/xellion-frontend · Bitbucket · Default branch main
Security Findings
Low security scores and security-related AI review notes.
| Commit | Security Score | Finding | Date |
|---|---|---|---|
| c305fdad | 30 | The commit initializes the project with boilerplate files, environment variables, .gitignore updates, README, and a package-lock.json with dependencies. While it sets a foundation for the project, it lacks detailed commit messaging and there are minor issues like typo in the environment filename. No actual code implementation or business logic is introduced. | 07 Feb 2026 |
| 8d7e3aa8 | 60 | This commit adds a user-facing success and failure flow for crypto deposit payments with UI feedback and navigation, including callback URLs and parameter handling. Good UX improvements are present but logging sensitive parameters to the console could be a security concern. The commit message is vague and does not describe changes made. | 10 Feb 2026 |
| e40474ac | 20 | This commit primarily updates package dependencies and adds a new React component for Pay777 payments along with additional constants for payment gateways. However, the commit message is vague, provides no context or details of the implementation, and there is no actual API integration code visible in the diff, reducing confidence in the business value. The large updates to package-lock.json suggest dependency additions but without usage examples or explicit integration shown, it is difficult to assess thoroughness or security implications. The new component includes some basic state and effect hooks with no visible error handling or edge-case management yet, increasing bug risk. Security implications of the payment process integration are unclear from this diff. The lack of tests or example usage is a limitation. | 16 Feb 2026 |
| b5f5c1d2 | 50 | This commit adds API integration work including new dependencies for QR code generation and UI icons, plus a new React component for payment processing with Pay777 UPI support. The code introduces some useful features but lacks detailed error handling and security controls for payment flow and file uploads. The commit message is minimal and unspecific. | 16 Feb 2026 |
| 8535baad | 40 | This commit adds new deposit steps and UI components for payment success and failure, integrating images and route handlers. The UI components include styled buttons and navigation flows. However, the commit message is not descriptive, and the newly added UI code lacks form validation or error handling. No security-sensitive code changes are observed, but email address used for contact is hardcoded. | 18 Feb 2026 |
| 0037ae79 | 40 | The commit adds UI routes, components, and assets related to deposit steps and payment success. The changes improve user experience by introducing new steps and a success confirmation page. The code appears clean with clear component structure and styling. However, some improvements in asset management and security practices could be made. The commit message lacks detail which lowers confidence but the diffs show meaningful additions. | 19 Feb 2026 |
| 957b7b8a | 40 | The commit adds a comprehensive .gitignore file and README.md with common React app setup instructions and also shows a package-lock.json partial content. However, it lacks code changes and meaningful implementation, and the commit message is uninformative. There might be redundancies in .gitignore (e.g., duplicate 'dist/') and security concerns as environment files are ignored, which is good, but no further security improvements are shown. Providing more descriptive commit messages and ensuring .gitignore is tailored to the specific project would improve maintainability and usefulness. | 20 Feb 2026 |
| f6f6fc35 | 60 | This commit adds routing flows, a responsive dashboard layout with sidebar and header components including logout functionality, and some UI improvements. The structure is clear and uses React Router and state management appropriately. However, the commit message is too vague and uninformative. There is a potential security issue regarding the logout implementation that simply removes a token from localStorage without additional safeguards. | 20 Feb 2026 |
| 3abf1341 | 40 | The commit merges a feature branch and adds a commonly used .gitignore file, along with a README.md with usage instructions, and a package-lock.json that locks dependencies. This represents foundational setup work. However, the commit message is generic and does not explain the change well, README content is generic boilerplate, and .gitignore entries include sensitive files like .env.* which may indicate partial environment file management security considerations. No application code or feature changes were made, so business impact is limited. The risk of bugs introduced is low for this commit but security risks exist if .env files are not properly handled. | 20 Feb 2026 |
| e18880de | 45 | This commit adds handling for storing API tokens on login and automatically logging out users on 401 response errors, which improves user session handling and security. However, storing tokens in localStorage and using window.location.href redirects have security and user experience drawbacks. Additionally, lack of token expiration management and insufficient error handling reduce overall robustness. | 20 Feb 2026 |
| dbd3a405 | 45 | The commit adds token handling in the login page and sets up an interceptor to auto logout on 401 errors by clearing session data and redirecting to login. While this improves the user authentication flow, it uses localStorage for token storage, which has security implications. Lack of thorough error handling and security measures like token expiration checks or refresh tokens is noticeable. Console logging sensitive information should be avoided. | 20 Feb 2026 |
| 85f8e17c | 70 | The commit introduces UI changes that add authenticated routing protection and a deposit amount input component with validations and user interaction improvements. The use of ProtectedRoute enhances security by redirecting unauthorized users. The deposit input component manages input with value synchronization, formatting, and increment/decrement controls effectively. | 20 Feb 2026 |
| db575ad3 | 70 | The commit adds UI changes introducing ProtectedRoute component for authentication guarding of routes, improves user experience in deposit amount input with validation and formatting, and adds favicons. It generally has good quality and security practices with clear input validation and use of localStorage token checks. However, the commit message is very generic and non-descriptive. There are some minor concerns like lack of error handling if user/token info is corrupted or missing, and no unit tests shown for new components and functions. Business value is reasonably good as this improves critical app navigation flow and UX for deposit amount input. | 20 Feb 2026 |
| 6e83f608 | 60 | This commit adds support for non-India payment methods, including data definitions and UI handling. The implementation integrates with backend services for payments and manages state well. However, naming inconsistency (pmTag used twice in getPaymentData), lack of input validation, error handling could be improved, and some redundant data may exist. The commit message is very minimal and does not explain the scope or impact of the changes in detail. | 27 Feb 2026 |
| eaa8b9c4 | 50 | The commit introduces a new non-India payment methods constant and integrates handlers for multiple payment methods in DepositStep3.tsx. The implementation handles UI selection and API calls for different payment options with appropriate loading and error states. However, the commit message is minimal and lacks detail. There are console log statements left in the code that may expose internal details in production and reduce code cleanliness. Type safety is reasonable but could be improved by better error typing. There is some repetition in wire payment methods, and the error handling could be more robust. Overall the business value is good due to the added payment methods and flows, but quality and security could be improved. | 27 Feb 2026 |
| 3bf8b856 | 60 | The commit integrates a Withdrawal feature including UI components and routing. It adds supporting payment gateway data structures and hooks. The core functionality is implemented clearly with usage of protected routes and data flow for crypto payment initiation. However, minor issues such as repeated route element for /withdrawal/step-4 and commented out code in hooks could be cleaned. The commit message lacks meaningful description. Some security practices and error handling could be further improved. | 20 Mar 2026 |
| 1f4a7da0 | 70 | The commit introduces a new payout feature with input validation, success/failure UI states, and API integration. The code shows good structure with clear input handling and error feedback. However, it lacks detailed error handling for specific API errors, does not sanitize or validate sensitive inputs (like document number), and prints sensitive data in console logs. | 26 Mar 2026 |
| 08aff332 | 20 | The initial commit adds a comprehensive .gitignore file aimed at excluding common build artifacts, IDE files, and OS-generated metadata. This is a useful baseline for quality but does not contribute directly to business functionality or security. The ignore patterns include redundant entries (e.g., 'dist/' appears twice). | 07 Feb 2026 |
| e0090332 | 35 | The commit modifies the base URL in the API service to use an environment variable, which improves configuration flexibility but lacks context and detailed commit message. The impact is moderate but the change is minimal and could benefit from better documentation and error handling. | 07 Feb 2026 |
| 606dd1c4 | 50 | The commit updates the API URL by changing the base URL to an environment variable. This improves configurability, but the commit message is very minimal and the change lacks context or validation. | 07 Feb 2026 |
| b011420f | 30 | The commit adds TypeScript interfaces and constant arrays defining crypto and payment gateways with useful utility functions to map these. The code is well structured and largely free of errors. However, missing test coverage, lack of detailed comments especially on the utility functions, potential implicit assumptions in id mapping, and inability to handle unexpected inputs gracefully reduce scores. The security risks are low but non-zero since payment gateway data might impact payments if corrupted. Business value is decent but limited as it only introduces data and lookup methods without integration or validation. | 09 Feb 2026 |
| 7be21d70 | 45 | The commit introduces dynamic user data fetching for payment processing and adds callback URLs for payment status. While this increases business value, there are several quality and security concerns. The use of hardcoded fallback user data potentially leads to inaccurate payment data and may cause issues in production. The IP address is hardcoded, which may not reflect real user info. Some deprecated code remains, and error handling is not visible in the added code. Environment variables are used for API base URL, which is good. Overall, the changes add useful features but can be improved for robustness and security. | 10 Feb 2026 |
| 844299a5 | 30 | This commit adds frontend logic and related service calls to handle payment processes including wire payments. However, there are many console.log statements indicating leftover debugging code and incomplete error handling. The commit message is vague and non-descriptive. Type declarations are added which is positive, but hardcoded fallback values reduce robustness. Some security-sensitive data handling (user IDs, payment amounts) is done with default fallbacks which can be risky. Redirection is performed based on response data without strong validation. | 16 Feb 2026 |
| 8f51bda5 | 50 | The commit adds support for Pay777 bank transfer as a payment gateway specifically for domestic wire transfers with appropriate UI changes and fallback handling. However, some payment methods are disabled or commented out and default hardcoded values exist in the PaymentDetails component. Logging is verbose and error handling could be more robust. The commit message is very generic. | 18 Feb 2026 |
| 6dea2467 | 60 | This commit adds bank payment gateway support using Pay777 for domestic wire transfers and updates related components accordingly. It removes deprecated wire transfer handling code and conditional rendering for payment methods. The PaymentDetailsForm component uses default values if none are provided. The payment creation logic in usePay777Payment hook includes proper error handling. However, disabled international wire transfers and commented out code can be improved. Also, logging sensitive payment information to the console might pose a security risk. | 18 Feb 2026 |
| a8a06d89 | 5 | The commit updates the title tag in the index.html file. The change is simple and low risk but provides minimal business value and does not impact security or bugs significantly. The commit message is non-descriptive and not informative. | 20 Feb 2026 |
| df19ab62 | 10 | The commit changes the HTML title to 'Xillion' and updates the commit message with minimal detail. The change is straightforward but provides limited business impact or detailed documentation. The commit message lacks clarity and context. | 20 Feb 2026 |
| 3294cefd | 50 | The commit adds functionality to fetch and display pending payments for users, implements a payment processing time utility, and enhances the UI to show relevant payment information. The code shows proper async handling, error logging, and UI updates based on loading state and data presence, adding clear business value. However, there are risks around fallback user ID usage and limited input validation, as well as lack of comments in UI components and security considerations for localStorage use. | 21 Feb 2026 |
| def5e140 | 70 | The commit adds functionality for displaying pending payments, including fetching data via an API, showing a loading state, and displaying payment processing times for different methods. The code is generally well structured, uses proper React hooks and type definitions, and provides user-friendly UI elements. However, it could benefit from additional error handling and input validation, especially regarding user data and API responses, to reduce bug risk and improve security. The commit message is minimal and lacks detail about changes. | 21 Feb 2026 |
| c2aa484b | 40 | This commit updates the page title and changes loading text strings in the payment creation step, which might improve the user experience slightly. However, the commit message is missing, which reduces clarity and traceability. The changes are minor and do not address any security issues or critical bugs directly. | 21 Feb 2026 |
| cd99ce05 | 20 | The commit updates a page title and enhances user feedback for payment status messages. However, the commit lacks a descriptive message, and the changes are minor and partially incomplete. The ambiguous commit message reduces confidence and business value. Improved commit description and more detailed UI improvements could increase value and clarity. | 21 Feb 2026 |
| 088128fd | 40 | Added multiple USDT token types to crypto gateways with a commented out USD Coin entry. | 06 Mar 2026 |
| b067a3fd | 20 | The commit adds new payment gateway options but lacks context and detailed description. The code changes are minimal and do not include tests or validations. The commit message is vague with minimal explanation, reducing confidence in business value and increasing fake work risk. The security aspect is low, as adding payment gateways typically requires strict validation and security controls, which are not evident here. | 06 Mar 2026 |
| 60c9e75e | 40 | The commit adds new cryptocurrency gateway entries and payment currency options, which likely extends the system's payment capabilities. However, there are no comments or tests to verify these additions, and the commit message is vague, lacking detail about the purpose or scope of the changes. | 06 Mar 2026 |
| d519ec59 | 40 | The commit adds new cryptocurrency gateway entries and new payment currency identifiers. However, the commit message is vague and does not describe the purpose or impact of the changes, reducing traceability. The code changes lack comments or validation, which could introduce inconsistencies or errors. There is no indication of tests or error handling related to the new currencies, increasing bug risk. Security considerations for adding payment currencies are not addressed. | 06 Mar 2026 |
| 5b107ae4 | 30 | This commit adds payment gateway related UI updates and a user country detection feature using an external IP API. The implementation uses local storage to share user country information across components and conditionally modifies the UI for Mexican users. However, the code lacks error handling beyond logging, does not sanitize or validate external data, and could have privacy implications. The commit message is vague and doesn't describe the changes adequately. | 09 Mar 2026 |
| e1628e54 | 50 | The commit introduces a basic payment gateway update and IP-based user country detection to customize UI elements. It enhances business value by supporting localization but has moderate bug risk due to reliance on localStorage and external API calls without fallback or validation. Security could be improved as no sanitization or verification of external data is done. Some questionable naming and missing error handling reduce code quality. | 09 Mar 2026 |