Project Details
xellion-backend
solutionbowl/xellion-backend · Bitbucket · Default branch main
Security Findings
Low security scores and security-related AI review notes.
| Commit | Security Score | Finding | Date |
|---|---|---|---|
| 7088d1f1 | 20 | Initial commit sets up middleware, database connection, and APIs but exhibits several critical issues. Hardcoded credentials and passwords in code reduce security. The auth controller uses plain text password matching instead of hashing, which is a severe security flaw. Logging of passwords is unsafe. Some route imports appear duplicated or possibly incorrect. Environment variables usage is inconsistent, and there is no input validation or sanitization beyond basic presence checks. The commit message has a typo and lacks descriptive content. | 07 Feb 2026 |
| 2573cdbf | 40 | The commit adds a new SDK package for payretailers API including TypeScript type declarations and JavaScript implementation. The overall structure is decent and follows good API SDK patterns. However, the commit lacks tests, usage examples in actual code, and any protective security practices shown explicitly. The commit message is minimal and vague, which reduces confidence in the change. The added API JSON appears correct but no validation or safeguards are presented. | 07 Feb 2026 |
| 1b0b6b90 | 10 | The commit introduces comprehensive payment-related functionality, including webhook routing and various payment controller methods. The code adds validation, error handling, and integration with payment services, which adds business value. However, the direct inclusion of a plaintext database password in src/config/db.js is a severe security risk. Some minor inconsistency in variable defaulting and validation could lead to bugs. The commit message is vague and uninformative. | 10 Feb 2026 |
| 43d6ffa6 | 20 | The commit implements handling of crypto payment callbacks including mapping payment statuses, updating the database schema for new crypto fields, and adding new update fields to the payment service. However, it introduces a hardcoded database password and logs potentially sensitive information, impacting security. Error handling and status mapping are generally good and add business value. | 14 Feb 2026 |
| 435a7152 | 40 | This commit adds integration for the pay777 payment gateway including configuration, service, controller, and route layers. It uses environment variables for configuration but contains hardcoded user data placeholders in the controller. There is risk related to embedding sensitive information directly in the codebase (e.g., database passwords), and the commit message is unclear and misspelled. Error handling and signature generation are implemented, but input parameter validation and dynamic user data handling are insufficient. These factors impact security, bug risk, and overall quality. | 16 Feb 2026 |
| b53766f8 | 65 | The commit adds third-party dependencies and implements a webhook handler with JWT usage and currency conversion logic. The code integrates axios calls, JSON web token signing, and payment status updates. However, error handling is basic, input validation is limited, and there is missing environmental variable validation. The commit message is minimal and typoed ('getway' should be 'gateway'). | 21 Feb 2026 |
| 845689b8 | 30 | This commit adds support for bank transfer API in the 777pay payment system. It introduces new configuration keys for bank access and secret, updates the controller to handle bank payment responses, and conditionally uses the bank keys in the service layer. While the new feature adds business value, the code currently has some security concerns related to handling sensitive keys, along with some potential robustness issues. | 16 Feb 2026 |
| d49003ef | 30 | This commit primarily adds many console.log debugging statements and commented-out code. There are no functional improvements or significant feature additions. The commit message is vague and contains spelling errors. The extensive logging can clutter production logs and may expose sensitive payment data. Commented-out code may increase confusion and reduce maintainability. | 19 Feb 2026 |
| 8d327282 | 40 | This commit adds a new API endpoint to fetch user pending transactions. The implementation is straightforward using parameterized queries which helps prevent SQL injection. However, there is no validation or sanitization of input, and error handling is minimal. The commit message is also minimal and does not provide sufficient detail about the change. | 21 Feb 2026 |
| 6a2bac6d | 30 | The commit adds environment variable configurations for payment gateway URLs and updates webhook handling with basic logging and status mapping. However, the commit message is vague and the code lacks error handling improvements, validation, or security considerations related to payment processes. The code uses console logging which may not be suitable for production. Some variable naming and consistency could be improved for clarity. | 24 Feb 2026 |
| 667f4cb1 | 15 | The commit adds Payretailer payment gateway integration with API calls and payment processing. However, it includes hardcoded sensitive credentials and incomplete error handling. Code quality could be improved by fixing typos and enhancing validation and error responses. The security score is low due to exposed keys in source code. | 27 Feb 2026 |
| 88a9b6e4 | 40 | The commit implements Ragapay payment gateway integration including payment creation and webhook handling. Core functionality is covered, but there are missing best practices around validation, error handling, and secure hash key management which impacts quality and security scores. | 27 Feb 2026 |
| 273a69d1 | 30 | This commit adds support for the 'Ragapay' payment gateway including integration in controller and service layers. It also adds the 'crypto-js' dependency. The implementation has some issues with hard-coded default values, incomplete error handling, consistent naming typos, and debugging console logs left in code. | 27 Feb 2026 |
| 3d688449 | 40 | The commit introduces currency conversion and markup calculations with hardcoded test customer data and console logs scattered in multiple files. Error handling and input validation are missing, and sensitive API keys are accessed directly from the environment without safeguards. The commit message is non-descriptive and unhelpful. | 18 Mar 2026 |
| 243bcc28 | 50 | This commit adds a new payout endpoint and service method to support crypto payouts with the Match2Pay gateway. It implements request validation and uses default values to create a payment payout. The integration with environment variables for URLs and tokens is appropriate. However, the hardcoded test customer data poses a risk and could cause operational issues. The error handling is basic but present. The commit message is vague, improving it would aid maintainability. The code logs sensitive information to the console, which could expose sensitive data. | 18 Mar 2026 |
| baa0916b | 30 | The commit introduces payout functionality for multiple payment gateways including Match2Pay, Pay777, and Payment-Retailer. It covers extracting required fields from requests, currency conversion, and payment record creation. However, it hardcodes sensitive customer data and contact information, which reduces security and quality. Error handling is basic but present. There is also some code redundancy and inconsistent naming in variables and missing validation for some fields. Environment variables are used for API keys and URLs though it is not clear if all sensitive information is managed securely. | 26 Mar 2026 |
| c63ae1c6 | 30 | Initial commit adds a comprehensive .gitignore file with common patterns to ignore build artifacts, logs, IDE files, and media. While it sets a foundation for avoiding committing unnecessary files, it lacks project specificity and does not include any source code or documentation. The commit message is generic and non-descriptive. | 07 Feb 2026 |
| a534eb3b | 50 | The commit adds a new payment API integration (777pay) with code that includes environment-based configurations and new endpoints for creating and submitting payments. The code has basic validation and error handling, but lacks thorough input validation and secure handling of secrets. The commit introduces several dependencies, which could increase attack surface if not audited. The commit message is minimal and does not describe the implementation or usage details. | 14 Feb 2026 |
| 7b4e9f24 | 40 | This commit implements webhook handling for 777Pay payments and adds integration with their service. The webhook handler updates payment status based on notification data, and a new service class provides payment creation, account retrieval, and payment submission features. The code generally follows expected patterns but has some gaps in security validation and error handling robustness. | 16 Feb 2026 |