Project Details

website-service

solutionbowl/website-service · Bitbucket · Default branch main
Back to Projects

Security Findings

Low security scores and security-related AI review notes.
CommitSecurity ScoreFindingDate
39a574b7 70 The commit improves handling of races marked as 'VOID' by filtering them out in queries and returning a clear status when a race is void. It increases robustness by early exits for voided races and avoids processing them further. However, the commit message is uninformative, and the code could use more comments and possibly consolidation of repeated logic for better maintainability. 02 Jul 2026
da8ead3f 50 Added bet_start_time field retrieval in website get race detail query. The change looks straightforward but lacks context or tests. 02 Jul 2026
02943c21 60 Adds JSON Web Token dependency and new logic in racingController to include user exposure data in race market data responses. Code quality is moderate with clear data mapping, but error handling and authorization checks could be improved. Security is enhanced by user token checks, but the new dependency addition and exposure data usage require careful validation. The commit message provides minimal context. 13 Apr 2026
07363034 60 The commit adds a new API endpoint to get race exposure, correctly handling input validation and aggregation via Mongoose. Some commented-out code is present but not cleaned up. The use of ObjectId conversions is appropriate and the structure handles errors. However, there is no user authentication verification beyond req.user usage, and no explicit validation or sanitization of inputs, which could lead to bugs or security issues. 15 May 2026
58c0fef7 30 This initial commit introduces a package-lock.json with many dependencies and a .gitignore file to exclude node_modules, .env, and log files. However, the commit contains no application code yet and only setup artifacts. The security and bug risk scores are low to moderate given the presence of environment files and dependency management, but no application logic or testing exists yet to provide quality or business value. The commit message is uninformative, further reducing confidence in the change. 06 Mar 2026
1c55fa21 40 Adds a new API endpoint to get fixed demo tenant info but hardcodes tenant IDs and lacks null checks and input validation. 09 Mar 2026
d9a5ea3c 40 Adds fetching of tenant branding and features in the website controller, improving customization for tenants. However, the commit message is vague and the code lacks error handling and validation, reducing overall quality and increasing potential bug risk. 12 Mar 2026
6538c0e6 40 The commit introduces a horse racing API with multiple well-structured MongoDB aggregation pipelines and REST endpoints. It includes appropriate error handling and clear JSON responses. Importing route and controller files suggests a modular structure. However, there are concerns about potential injection or type casting issues in queries, inconsistent style in requires (inline require usage), and missing validations for user input beyond presence checks. The commit message lacks detail. 12 Mar 2026
d689bd38 30 The commit adds middleware to assign a static tenant when a testing header is set. While this supports testing scenarios, it has potential issues with hardcoded tenant IDs, lack of input validation, and incomplete handling logic. 12 Mar 2026
640f1fb0 50 The commit adds tenant lookups in middleware, which may be valuable for multi-tenant support, but lacks proper context and testing details. The commit message is misspelled and unclear, and does not describe the changes made. This creates uncertainty about the intent and risks of the changes. The implementation could introduce latency or errors if tenant data is not properly cached or error-handled. 12 Mar 2026
dfbee905 50 The commit message contains a typo and is vague, which reduces clarity and professionalism. The diff shows a single change handling a 500 status error response, but lacks context or details on functionality improvement. The quality and business value are low due to unclear messaging and minimal change content. Bug risk is moderate as error handling is crucial but not fully clear here. Security score is average, reflecting some error handling but no explicit security improvements. 12 Mar 2026
82bd5dde 40 The commit adds integration with mongoose in a racing controller and modifies tenant middleware. The commit message contains a spelling mistake and is vague. The code changes lack context and comments. There is some potential risk around object IDs and middleware behavior due to lack of detail. No tests or validations shown. 12 Mar 2026
21f9c03c 60 The commit adds a small code change converting a country_id to a mongoose ObjectId. However, the commit message is poorly written and misspelled, which reduces clarity and professionalism. The code change itself is minimal and lacks context making it hard to evaluate business value and overall impact. There is some risk around validation and error handling that is not shown. 12 Mar 2026
0e5af155 50 The commit adds a new route for getting race details to the racing API, but the commit message has a typo and is not descriptive. The code change itself is minimal, lacking context, tests, or validation details. 12 Mar 2026
6ef7545f 20 Very minimal change with only an import statement added. Commit message contains numerous spelling errors and lacks detail. The changes do not demonstrate any implemented functionality, tests, or bug fixes. 12 Mar 2026
afff8b56 60 The commit adds a single line involving creation of a new MongoDB ObjectId. The commit message is poorly written with typo and lacks clarity. The single line change does not provide enough context to evaluate its correctness or significance. Code quality could be improved with better message and more comprehensive context. 12 Mar 2026
2dd29a86 40 The commit adds a projection for a horse racing API presumably to select specific fields from a database query. However, the commit message contains a typo and lacks detail on the changes and their impact. The diff snippet is minimal and does not show the full context of the implementation, limiting confidence in business value and security aspects. 12 Mar 2026
f20e8fe6 50 The commit implements a horse racing API with MongoDB aggregation pipelines. The code adds comprehensive data retrieval related to tenants, features, countries, races, horses, and odds. However, the commit message is a low-quality string with a typo and does not convey meaningful information about the changes. There is some inconsistent error handling, and the aggregation pipelines are complex with potential risk of runtime errors if data assumptions fail. No security-critical logic is explicitly seen, but input validation is minimal. 12 Mar 2026
7b356a8c 40 The commit adds a custom header 'testing' to allowed CORS headers. While this change improves flexibility for certain clients, it introduces some security and bug risks by allowing a non-standard and potentially unnecessary header. The overall business value is modest unless this header is specifically needed. 12 Mar 2026
319317dc 40 This commit adds a new banner feature with route, controller, and model for fetching banners filtered by tenant and banner type. The code handles basic validation and error catching. However, the schema is defined with strict: false, which can lead to inconsistent data. The error responses expose internal error messages, possibly leaking info. Tenant check is delegated to middleware, but input sanitization of query parameters is not explicit. The commit message is minimal and non-descriptive. 13 Mar 2026
03ccf1fd 50 The commit adds a new API endpoint to retrieve race odds from the database with validation and error handling. It improves functionality and business value by fulfilling a likely user need. However, validation is basic and there is potential risk of injection as no input sanitization is performed. Also, the RaceMarket schema is set to strict: false which may allow inconsistent data schemas and could lead to bugs or maintenance challenges. 26 Mar 2026
8d1b0741 40 The commit adds a field 'liveUrl' aggregation in the racingController.js and updates module exports. The commit message is vague and uninformative. The code changes are minimal and have unclear context and impact. There is insufficient information about how the 'liveUrl' field affects the application such as whether it affects UI or data integrity. The commit could benefit from more detailed description and potentially improved variable naming or validation to reduce risk. 10 Apr 2026
61f3f79d 60 The commit introduces a new endpoint to fetch the list of user bets on racing events. The implementation uses aggregation and includes checks for authentication and tenant context. It adds meaningful business functionality. However, there is low input validation and error handling could be improved. Security measures like verifying ownership of event_id are absent. The code could be improved for readability, and some minor risks exist around unvalidated inputs and potentially exposing IP addresses. 15 Apr 2026
df990182 50 The commit lacks any meaningful code additions or changes beyond a single closing bracket. The commit message is vague and does not reference any specific implemented functionality. 15 Apr 2026
fc62d5ef 20 The commit adds two hardcoded values to the bet list output, which likely does not retrieve real bets for the user. The message does not clearly explain the change or its purpose. The changes lack actual logic to fetch or display meaningful bet data, leading to low quality and business value scores, and a high risk of being fake or incomplete work. 15 Apr 2026
fc1fae5a 40 The commit adds filtering functionality to distinguish current and past bets based on bet status and enhances profit/loss calculation. However, there is a lack of validation for the 'type' query parameter, and the equality check uses loose equality (==) which might lead to unexpected behavior. 16 Apr 2026
139dc17e 70 The commit adds a conditional operation to calculate race bets payout or liability adjustment in the racing controller. However, the commit message is vague and does not describe the changes clearly. The code snippet lacks context and explanation or comments, which impacts comprehension and maintainability. The logic involves conditional computation based on odds_type but is not fully shown or explained. 17 Apr 2026
f600a76b 50 The commit adds two fields to an aggregation pipeline, presumably to include winner and fancy settlement details. However, the commit message is vague and lacks detail. The code changes are minimal and isolated, making it hard to assess full impact or correctness. Without additional context or tests, bug risk and quality are moderate to low. Business value is somewhat unclear. 17 Apr 2026
245855c1 40 The commit adds a new field 'selection' showing the horse name from a joined 'horselists' collection to enhance race bet data retrieval. The code uses aggregation pipeline stages properly with $lookup and $unwind. However, the commit message is insufficiently descriptive and the context for the 'selection' field addition is minimal. There is a moderate risk that 'runner' could be null and the code doesn’t verify or handle this beyond unwinding with preserveNullAndEmptyArrays. Security considerations like safe usage of $toObjectId should be verified, e.g. input sanitization is not visible here. 17 Apr 2026
2508c100 40 A selection field was added to the get bets query, which could improve the returned data's usefulness. However, the commit message is vague and does not explain the broader context or testing. 17 Apr 2026
677f0a90 50 The commit adds a MongoDB aggregation match stage filtering races based on unsettle flags. However, the changes are minimal and lack context or explanation. The commit message is unclear and does not describe the purpose or impact of the code change. There is also a risk of missing cases or incorrect filtering due to the limited condition checks. 17 Apr 2026
675dafd2 40 The commit message is vague and does not describe the change made. The code change is minimal and unclear, impacting the ability to assess the functionality or impact properly. 18 Apr 2026
c92f3207 10 The commit adds a minor change referencing '$bet_amount' without context, and the commit message 'bet set' is vague and uninformative. The change seems trivial with no clear indication of improved functionality or bug fixes, leading to low business value and high fake work risk. 18 Apr 2026
0e4e24b5 50 The commit adds a single equality check condition to a controller file. The commit message is uninformative and there is minimal context or explanation surrounding the change, making it difficult to assess its impact or correctness. 18 Apr 2026
e0eee26c 40 The commit includes a small update to the calculation in racingController.js that changes a multiplication operation. The commit message is vague and does not describe the actual change, reducing traceability and business context. The code change itself is minimal, possibly fixing or adjusting a calculation but lacks comments or tests to clarify intent. 12 May 2026
a2827bff 70 The commit adds an insurance_bet parameter retrieval in the race details aggregation pipeline. While it adds business value by including a relevant field, the change is minimal and lacks context. The code quality might be impacted by the lack of context and tests, and the commit message is sparse. 16 May 2026