Project Details

tenant-service

solutionbowl/tenant-service · Bitbucket · Default branch main
Back to Projects

Security Findings

Low security scores and security-related AI review notes.
CommitSecurity ScoreFindingDate
7a816fd5 70 The commit introduces a detailed MongoDB aggregation query to calculate exposure and summarize betting data based on user hierarchy. It uses object IDs properly and MongoDB pipeline stages for efficient data retrieval. The functionality adds valuable business insight into user exposure across hierarchical nodes, which is important for the betting system. However, the commit message is poorly written and unclear, reducing overall readability and traceability. There could be improved clarity and some missing input validation or error handling risks in the usage of IDs that might introduce bugs or security concerns. The code does not explicitly show how authentication or authorization is handled, which is critical in hierarchy exposure contexts. 11 Jul 2026
5da2e28b 40 The commit introduces a race scraping feature with proper payload building and duplicate race check. The code includes input validation and error handling, improving robustness. However, it lacks thorough security measures such as input sanitization and rate limiting, and there is room for clearer error reporting and better documentation. The logic and code structure mostly follow good practices but could benefit from some minor improvements for maintainability and security. 11 Jul 2026
c8347f05 30 The commit adds logic to determine if child users should be loaded based on user role and presence of userId, but the commit message is unclear and misspelled. The code could lead to improper user access due to role checking by string and lack of robust authorization handling, posing security and bug risks. The business value is moderate as it tries to control data exposure but lacks thorough validation. 11 Jul 2026
619a0ebc 80 The commit adds MongoDB aggregation pipeline stages to include additional filtering, grouping, and data enrichment for bets and exposures in a horse racing reporting context. The changes appear substantial and domain-relevant but lack clear explanation in the commit message. The code exposes detailed join and lookup operations, which can be complex and needs careful validation. Presumed security is good with rigour in user and bet filtering. The commit message contains a typo and is not descriptive enough. The large aggregation pipeline increases complexity and risk of subtle bugs if not thoroughly tested. No evident security flaws are found, but some defensive coding or validations are not visible here. 11 Jul 2026
876f4c97 60 The commit adds detailed MongoDB aggregation pipelines for fetching horse racing bet and exposure data, including filtering, sorting, grouping, and lookup stages, along with appropriate error handling for missing race or market data. The logic is complex but seems coherent for business use. However, the code could benefit from some improvements in validation and security to reduce potential bugs and risks. 10 Jul 2026
0afa0232 70 This commit introduces two new controller functions related to net exposure details and bets in horse racing markets. It includes comprehensive input validation, uses MongoDB aggregation pipelines, and clearly structures the response data. The error handling is present and basic security checks such as user roles and valid IDs are included. However, there is no rate limiting or advanced security verification, and some potential error edge cases might not be fully handled. The commit message is minimal and could be more descriptive. 10 Jul 2026
0f307d34 60 The commit adds an endpoint and service to scrape horse race data and persist it. It includes input validation, error handling, and duplicate detection, demonstrating functional completeness. Code style and structure are reasonable, but some logging and error messages are generic. There is no explicit input sanitization or security hardening for input URLs, raising some security concerns. The business value is moderate due to added scraping functionality that supports use cases. The risk of bugs is moderate due to multiple async database calls and reliance on external scraper module. The fake work risk is low since the changes are significant and practical. 10 Jul 2026
d81b5cd7 40 The commit adds a new scraping feature with basic validation and error handling. The code includes parsing of race and horse details, duplicates filtering, and database inserts, which supports key business functionality. However, there are potential issues in error handling completeness, lack of input sanitization, and missing pagination or rate limiting for scraping, which might cause bugs or security risks. Also, placeholder messages and minimal commit description reduce clarity and traceability. 10 Jul 2026
3ba00bb3 50 Commit fixes a module not found issue by adding a missing require statement. While this addresses a clear problem, the commit lacks detail and context, and the isolated small change may be insufficiently tested or documented. 10 Jul 2026
bcd6cf19 40 The commit fixes a module not found issue by adding a missing require statement in race.controller.js. While this improves functionality, the commit message is vague and lacks detail about the root cause or testing performed. 10 Jul 2026
c12dc560 50 The commit adds logic to determine a targetUserId by prioritizing parentUserId over userId, likely to fix user identification in ledger sorting. While this addresses a probable bug, the commit message is vague. The code changes are straightforward but lack context and comprehensive error handling or validation, limiting the improvement in quality and security. 09 Jul 2026
2e099d0c 60 The commit introduces an immediate update for profit and loss on bet settlement by emitting a socket event in multiple controller locations and defining the emit function in socketClient. This improves real-time updates likely benefiting business operations. However, the code lacks error handling for the async emits and does not verify the validity of raceId, which could lead to silent failures or security holes. 09 Jul 2026
a65afac1 50 This commit adds a function to summarize hierarchy data and conditionally returns it in an API response, enhancing data presentation for horse racing reports. However, the commit message is unclear and the code lacks comments or error handling, impacting maintainability and security auditing. 09 Jul 2026
004e89a4 60 The commit adds a new function insertSettlementLedgerRows which processes ledger rows, calculates balances, and inserts them into the database. It improves ledger sorting and balance calculation with better handling of rounding and user-based aggregation. There is clear use of rounding, validation of numerical inputs, and batch insertion, which support quality and business value. However, there could be some edge cases or error handling missing. The commit message is minimal and does not fully describe the changes. Security impact is neutral but could be improved with validation against injection or malformed data. Bug risk is moderate due to complexity of balance calculation and potential asynchronous DB insert issues. 09 Jul 2026
b2205975 50 The commit adds a utility function to round numbers to two decimal places for net exposure calculations. While useful, the commit lacks context, tests, or usage examples, limiting its demonstrated business value and overall quality. The commit message is vague and does not clearly explain the purpose or impact of the change. 08 Jul 2026
2a214715 60 The commit modifies a filtering object to exclude multi bets and uses this updated filter to fetch bets by IDs. However, the commit message is vague and the changes lack detailed comments or tests, which reduces clarity and confidence. 07 Jul 2026
5af059ed 50 Added bet_amount and liability_amount parameters to the net exposure detail API response. Numeric conversions are used for these parameters. 06 Jul 2026
9f867dca 60 The commit attempts to fix account settlement debit and credit reporting but introduces a hardcoded ip_address value of 1, which is unlikely to be correct or safe. The commit message is not descriptive. The change is minimal and likely insufficient, increasing the risk of bugs and reducing overall quality and business value. 06 Jul 2026
fbf08250 50 The commit fixes the inclusion of odds_request fields in a report controller related to account settlements for debit and credit, suggesting an enhancement in data reporting. However, the change is minimal and lacks context, test coverage, or explanation. 06 Jul 2026
eb4d020a 50 The commit improves the handling of multi-bet and normal bet data by filtering and restructuring data related to bets and legs. It introduces stronger type conversion and clean data mapping, which improves the accuracy of the report generation. However, the commit lacks comments, error handling around async calls, and validation of data which could potentially lead to bugs or unexpected results. There is no explicit security handling or authorization checks in this diff. 06 Jul 2026
42045507 90 This commit adds a function to adjust gross odds based on a deduction percentage and integrates this calculation with the dead heat payout logic in horse racing bets. The new function includes input validation, clear comments, and rounding which improves code clarity and accuracy. The changes to bets calculations can improve business value by correctly handling deductions and payouts. There is low bug risk due to input validation, but some error throwing may cause runtime exceptions if not caught upstream. No security issues are apparent. The commit message is vague and could be more descriptive. 04 Jul 2026
6b02aafb 20 The commit adds mapping fields in the report controller, likely to retrieve agent bets. However, the changes are minimal and lack context or thorough implementation details. The commit message is sparse and does not explain the purpose or impact. There is a moderate risk of bug or misunderstanding due to missing error handling or validation, and the security implications are not addressed. 03 Jul 2026
1b504c87 70 The commit adds functionality to aggregate and enrich betting data filtered by market_id with detailed racing betting legs and race details. It efficiently uses MongoDB aggregations and indexes. The code is well structured but lacks input validation and error handling around user inputs and database calls. 03 Jul 2026
c9c38655 50 The commit adds MongoDB aggregation pipeline steps to process and restructure horseracing betting data, including sorting, adding fields, and conditional field setting. The changes appear functional and add business value by preparing enriched betting reports. However, the commit message is vague and does not describe what was done or why. There is no clear validation or error handling to reduce bug risk, and user-related data like email is exposed in the output without evidence of filtering or masking, which potentially introduces security concerns. 03 Jul 2026
c874e80b 60 The commit adds or modifies functionality in the horseracing report controller focused on fetching and processing agent bets with role-based filtering and detailed aggregation pipelines. While the code shows comprehensive handling of roles and uses mongoose ObjectId transformation to validate ids, there is a notable complexity that increases bug risk and security concerns due to the heavy use of dynamic aggregation pipelines. The commit message is minimal and not informative, reducing clarity on the intent and scope of changes. 03 Jul 2026
33e7980f 60 The commit introduces conditional grouping logic on 'group_entity_id' in the report controller to handle different agent bet reports. The use of nested $ifNull MongoDB expressions suggests thoughtful handling of null values. However, the commit message is minimal and lacks detailed explanation of changes or rationale. The changes risk bugs due to potential complexity and nested conditions, with moderate security improvements tied to handling of different user roles and IDs. 03 Jul 2026
dff4d724 70 The commit adds a MongoDB aggregation pipeline snippet for profit and loss calculation in agent bets within the horseracing report controller. The logic handles bet status conditions and bet amount conversions with rounding applied. While it is business-relevant and seems functional, there is limited context or comments to fully verify correctness or catch edge cases. There is some risk of bugs if fields like 'return_amount' or 'bet_status' have unexpected values or types not accounted for. Security risk is low as this is a data aggregation snippet, but additional validation and error handling are absent. 03 Jul 2026
3964b274 20 The commit message is vague and does not clearly describe the changes made. The code change appears to be minimal and unclear, setting 'ip_address' to a hardcoded value '1' which is suspicious and likely incorrect. 03 Jul 2026
a884b50c 40 The commit adds two lines that include the odds_request property in objects passed within the report controller. However, the commit message is vague and there are no tests or other context provided. The changes seem minor and possibly incomplete. 03 Jul 2026