Project Details

discover_dev

solutionbowl/discover_dev · Bitbucket · Default branch main
Back to Projects

Security Findings

Low security scores and security-related AI review notes.
CommitSecurity ScoreFindingDate
1484ade5 70 This commit introduces a new scheduled console command that sends booking reminders 15 minutes before a booking starts. It also adds a new field to track notification sending, modifies booking history filtering to support new statuses, and updates a console schedule. The implementation is generally good but lacks detailed error handling and logging, and the migration down method mistakenly re-adds instead of removing the column. 08 Jul 2026
17d877d7 20 The commit introduces meaningful backend API changes improving booking history and vendor detail retrieval with better filtering and status handling. The code quality is decent but could improve with removal of commented code to improve readability. There is a critical security issue with hard-coded sensitive keys in the WiseGoService.php file. Business value is solid as the API updates provide useful new features. Bug risk is low in main logic but presence of commented code and sensitive data in repo indicates some risk. Security suffers heavily due to hard-coded cryptographic keys, which raise significant concerns. 07 Jul 2026
b64ba23c 40 This commit introduces standard configuration files (.editorconfig, .gitattributes, .gitignore), an example environment config, a detailed README.md, and a new CategoryController with basic index functionality. The configurations improve project maintainability and consistency. The README improves developer onboarding and project value. The CategoryController adds minimal business logic but lacks security checks and complete CRUD operations. The commit message 'latest' is vague and uninformative. 16 Feb 2026
c26041c6 40 The commit adds basic API endpoints for vehicle, favourite, and other related features. The FavouriteController and HomeController provide functionality to toggle favourites and get home and vendor details. However, the code lacks comprehensive error handling, comments, and tests. There is hardcoded OTP verification logic, which severely impacts security. The commit message is vague and does not detail what exactly was added or changed. 16 Feb 2026
44f6a56f 30 This commit primarily adds an admin form for vendor creation with map location support and updates the controller to handle latitude and longitude. It includes many commented-out legacy code lines and inserts an API key placeholder in the environment example. While adding map coordinates is a useful business feature, the commit has poor validation beyond requiring the name, and geographic inputs may allow invalid data. The .env.example exposes an API key placeholder, but no safeguards or usage restrictions are evident. The commented-out code should be cleaned. Security risks come from incomplete validation and potential exposure or misusage of the Google Maps API key. The commit message is vague and does not describe the changes. 17 Feb 2026
3b75969f 50 The commit adds new Booking APIs with validation, booking creation, and basic booking history retrieval. It includes some important checks like vendor open hours and validated inputs. The code generally follows Laravel practices and uses Eloquent models effectively. However, the commit message is too brief and non-descriptive. Security could be improved around data sanitization, authorization checks, and preventing duplicate bookings. Also, the booking ID generation is basic and not collision resistant. There are no tests included. The FavouriteController and UserController changes are small and mostly standard, though UserController should import Storage facade explicitly. Overall, the changes are valuable but lack thorough security hardening, input checking, and commit messaging. 17 Feb 2026
7965ab7d 30 The commit introduces a new vendor employee model and migration and adds some view and controller code related to vendors and bookings. Code quality is moderate but limited implementation in some areas (e.g., empty BookingController). The business value is moderate given the introduction of vendor employee infrastructure, though mostly scaffolding. Bug risk exists from commented-out legacy code and potential missing validations. Security score is low due to storing passwords as plain nullable strings without hashing or clear authentication security measures. 18 Feb 2026
53b729a0 30 The commit adds a new empty BookingController, VendorEmployee model and migration, and updates the VendorController and booking index view. However, the BookingController is empty and doesn't add functionality. There is commented-out code in VendorController indicating incomplete or refactored features. The migration includes storing user password in plain string column without encryption. The commit message and code lack detailed explanation or tests. There is potential security risk in storing passwords unencrypted and incomplete validation for inputs. 18 Feb 2026
210dfc91 60 This commit adds vendor details related features, including bookings filtering and details view enhancements. It introduces new relationships in Eloquent models and a migration for additional columns in vendors. Code is generally well structured and adheres to Laravel conventions. However, some controller methods could benefit from request validation and error handling to improve robustness. There is a slight security concern due to lack of input sanitization or authorization checks on filtered queries. No unit or feature tests were added or mentioned, impacting quality and bug risks. The commit message is vague and not descriptive of actual changes. 21 Feb 2026
e4794084 30 The commit adds standard CRUD operations for app settings and several improvements to booking and vendor handling with filtering; however, it lacks request validation and authorization checks, which reduces security and increases bug risk. The commit message is minimal and could be more descriptive. 24 Feb 2026
19b28938 40 This commit adds booking extension functionality and related payment handling with basic validations and webhook handling. It improves business logic by supporting booking extension and integrates with Razorpay for payments. However, there are some areas for improvement, including error handling, transactional safety, and security practices such as sensitive data handling and input validation robustness. 09 Mar 2026
d2c8ca89 50 The commit introduces useful booking time validation and payment status updates, along with notification sending on booking changes. However, there is no validation on input time format which can cause bugs, some code redundancy exists, and error handling for database fetches is missing, which impacts robustness. The commit message is vague and non-descriptive. The privacy_policy view changes are mostly static and do not affect logic or security, but do add business value. 11 May 2026
d9b2bb8b 15 The commit is titled 'privacy policy page' but the diff only contains a backup of the BookingController implementation file with no changes. This raises concerns about the commit's relevance and integrity. The code in the backup file has some validation and business logic but as it is a backup file instead of active code, it's unclear if it is in use. There are no security measures like authorization checks visible, and error handling is minimal. Also, the commit message does not align with the code changes, and no new privacy policy page was added. 03 Jun 2026
4c5a2b88 50 The commit resolves merge conflicts but does so by adding a backup file without merging changes into the proper source file. The code in the backup file shows a substantial BookingController class implementation with validation and business logic. However, the merge is incomplete because it leaves a backup file rather than updating the main controller. This lowers maintainability and business value since the functional code is not integrated. Security and bug risk are moderate due to standard validation and basic error handling but no advanced security controls are visible. The commit message is minimal and uninformative. 03 Jun 2026
b05e9323 20 The changes add a command to decrypt WiseGo encrypted data and adjust app settings management including validation and API exposure. The booking refund and cancellation logic now respects app settings and includes improved notification. However, the inclusion of hardcoded encryption keys and IV in the code is a serious security flaw. Validation is present but could be expanded. Error handling and logging are correctly implemented for refunds and decryption. The commit message is generic and lacks detail about the specific changes. 24 Jun 2026
2f57ef76 30 The commit adds a decryption command and makes multiple changes related to app settings and booking cancellation logic. The new WiseGoDecrypt command hardcodes sensitive encryption keys and IV directly in the code, which is a security risk. Validation rules for app settings are improved, and refund and cancellation charge calculations use configurable settings with sensible defaults. Error handling for payment refunds is included. Some improvements can be made, like extracting encryption keys to config, adding more validation, and enhancing refund logic robustness. 24 Jun 2026
4e730db1 50 The commit adds the ability to mark a user as verified and define a route for completing a profile. It includes adding validation rules and saving user data. The commit message is vague ('latest') and does not describe the changes made. Code quality and security can be improved by adding input validation and error handling when updating user verification status. The bug risk is moderate as no error handling is shown. Business value is reasonable as it adds user profile completion functionality. 16 Feb 2026
574dd83d 30 The commit introduces various login-related API functionalities, including user creation, profile completion, OTP verification, and JWT authentication middleware. Validation is applied on input parameters and JWT token handling is added. However, there are significant security concerns such as a hardcoded OTP, insufficient error messages, and potential duplicate account checks that could be improved. The code lacks proper sanitization and detailed logging which can lead to debugging difficulty and user experience issues. 16 Feb 2026
1b4122cc 30 The commit adds some routing lines including an admin login route and vendor edit and update routes. However, the commit message is uninformative and the code changes do not appear to be fully integrated or properly documented. The comment on line 27 contains a typo and is irrelevant. The commit lacks context and testing indications, which decreases confidence and business value. 17 Feb 2026
02fb0c09 40 The commit adds routes to the application but lacks detailed commit message and context. Route additions may be valuable but are minimal and without additional tests or documentation. Quality and security could be improved by adding validation and clarifying intent. The fake work risk is high due to vague commit message and minimal, somewhat trivial changes. 17 Feb 2026
cd26465b 50 The commit adds a new API endpoint to fetch vehicle categories. The code is straightforward and likely works but lacks validation, error handling, and authentication or authorization checks. The commit message is minimal and doesn't follow best practices for clarity. 17 Feb 2026
bc181737 40 This commit introduces CRUD functionality for VendorEmployee, including migrations, model updates with soft deletes, and views to display and manage employees. Passwords are hashed when stored. However, there is no validation of request input, lack of authorization checks, and potential for mobile_no uniqueness conflicts. Some UI code may be redundant. The commit message is vague. 19 Feb 2026
d40205b5 60 The commit introduces CRUD operations for VendorEmployee management including creation, updating, and soft deletion, as well as relevant UI changes to display employees in vendor details. It properly hashes passwords and uses Eloquent relationships and SoftDeletes. However, it lacks validation in controller methods for input data, and no authorization checks or CSRF protections are evident in the snippet. The commit message is vague and does not describe the changes clearly. The deleteEmp method might have a bug in checking deletion success as delete() returns a boolean, but usage is somewhat unclear. 19 Feb 2026
9912d44d 50 The commit adds significant booking and payment related functionality including webhook handling, booking history, payment verification, and employee approval endpoints. The code generally follows Laravel conventions with validation and ORM usage. However, there are multiple issues such as inconsistent spelling of Razorpay config keys, possible undefined variables or imports (e.g., DateTime, Carbon, DB without import), missing null checks before property access leading to potential runtime errors, weak webhook security validation, use of magic strings, and incomplete code due to truncated diff. These reduce robustness and security. No significant business logic issues appear but security and bug risk could be improved. 21 Feb 2026
dad24b04 20 The commit introduces a new POST route '/webhookmain' without authentication or validation, which may lead to security vulnerabilities. The commit message is uninformative, and the naming of the webhook endpoint is unclear. 23 Feb 2026
afc1ea98 50 The commit adds useful API endpoints to retrieve booking details and the last active booking. However, there are commented out debug statements left in the code, no input validation or authorization checks to ensure user access control, and some repeated logic that could be improved. The commit message is uninformative and does not explain the purpose of the changes. 24 Feb 2026
b76a3e67 40 The commit adds a new AppSettingController with CRUD methods, including storing and updating application settings. A booking detail page method is added to BookingController, loading related models 'vendor', 'user.vehicles', 'guard_in', and 'guard_out'. The API controller methods retrieve booking details and the last active booking. Eloquent relationships are defined for Booking and VendorEmployee models. However, the code lacks input validation and authorization checks, which reduces security and increases bug risk. The commit message is vague and does not clearly describe the changes or motivate them. Some commented-out code is present. Overall, the commit adds basic functionality but needs improvements in validation, security, and documentation. 24 Feb 2026
72bfd51c 50 The commit introduces a home search API with two endpoints to retrieve vendors based on location and search criteria. The functionality covers distance calculation and search filtering. However, there are issues such as a typo in the JSON path for coordinates, lack of input validation, inconsistent radius comment, and missing authentication/authorization checks. 25 Feb 2026
7b37f31c 40 The commit adds multiple booking details elements to the admin booking details page and some admin controller metrics. It improves UI and admin insights about bookings and vendors. However, there is inconsistent variable naming ($bookings vs $booking) which could lead to confusion. The commit message is vague and contains a typo. The route definition and some frontend links do not ensure validation or authorization checks, which may cause security risks. There is some commented-out debug code left in the view which should be removed. 25 Feb 2026
dd536fc6 70 The commit resolves vendor and booking detail page issues by adding booking and user counts in admin dashboard, enhancing booking details view with check-in/check-out sections, and adding a route for booking details. The changes improve monitoring and user experience with detailed booking info. However, there is mild risk due to lack of data validation/sanitization and no explicit authorization/authentication checks for new routes and views. 25 Feb 2026
0ad122aa 40 The commit adds controller methods to manage app settings, including creating and editing settings, and updates the sidebar for navigation. However, it lacks input validation and error handling, which increases bug risk and reduces security. The commit message is vague and non-descriptive. 25 Feb 2026
5c865518 30 The commit merges a pull request that resolves settings-app issues and adds basic routes and controller functionality for app settings, including create and edit flows. The code's quality and business value are moderate since it supports expected features. However, there is missing validation on user input which creates security and bug risks. The commit message is minimal and could be more descriptive. 25 Feb 2026
56e40cd1 60 The commit introduces form validation for app settings, enhances the admin dashboard with booking info, adds DataTables for better UI in bookings, and implements logout functionality with route and header updates. These changes add moderate business value and improve user experience. However, bug risk and security can be improved with additional input sanitization and CSRF protection. 25 Feb 2026
4d3945d1 50 This commit adds validation rules to the AppSettingController, improves booking data retrieval in LoginController, initializes DataTables in bookings view, and adds logout functionality in the header and routes. There are some improvements in data validation and UI interaction, but security aspects (e.g., CSRF protection, logout request method) and error handling could be enhanced. The commit message is vague and does not describe the exact changes, reducing clarity. 25 Feb 2026
75531a73 50 Features added for exporting bookings and transactions, filtered data tables for bookings and transactions with yajra datatables integration and formatted dates. Basic features for importing users also included. Code quality is decent but there are some minor concerns with error handling, efficiency, input validation, and security (e.g. no authorization checks shown, xss risks in html output). Some duplication between ExportBooking and ExportTransaction classes. Filtering logic could be more robust. 11 Mar 2026
d8d076f7 40 This commit adds export functionality for bookings and transactions, implements filtering and displaying data tables with yajra, and includes transaction filtering and status badges. Code generally follows Laravel conventions but lacks input validation, authorization checks, and has some redundant or inconsistent filtering. The export of transactions is very bare-bones. Security and bug risk could be improved with validation and better handling of relationships. 11 Mar 2026
bd863535 40 This commit adds Firebase notification integration, including storing user FCM tokens, sending notifications on booking creation, and exposing API endpoints for saving tokens and sending notifications. The implementation covers the basics well, but lacks validation in some places, has some redundant methods, and missing security considerations. 12 Mar 2026
4b913254 50 This commit adds Firebase Cloud Messaging (FCM) notification support to the application including a service to send notifications, controller endpoints to save device tokens and send notifications, plus a migration to add FCM token to the users table. Overall, it provides useful real-time notification functionality improving user engagement and business value. The integration appears mostly sound with appropriate validation and error handling. However, there are some issues which may reduce quality, security, and increase bug risk, such as commented-out validation in one method, lack of token authenticity checks, and unclear error handling detail. 12 Mar 2026
c5d4a602 50 The commit integrates Firebase notifications into booking creation and extension workflows, improving user engagement and experience. It adds a NotificationService class for broadcasting messages to users. However, there is duplicated code for fetching the user and sending notifications that could be refactored. The error handling logs notification errors but does not provide retry or fallback mechanisms. Security-wise, there are no visible safeguards ensuring the integrity or privacy of notification tokens or sensitive data. Overall the changes provide moderate business value but have increased bug and security risks. 16 Mar 2026