Project Details
bet-service
solutionbowl/bet-service · Bitbucket · Default branch main
Security Findings
Low security scores and security-related AI review notes.
| Commit | Security Score | Finding | Date |
|---|---|---|---|
| ce9bfd61 | 50 | The commit introduces normalization of bet fancy types and uses these normalized types in market exposure logic, improving consistency and functionality around betting on fancy markets such as Jodi and Trio bets. The code refactor centralizes fancy type management and enhances the handling of selected runner IDs. The commit message is unclear and does not describe the changes adequately. | 09 Jul 2026 |
| b6941ab2 | 40 | This commit adds real-time bet updates through socket events for single and multi bets, improving user experience with live feedback and engagement. The implementation correctly uses emit functions and tracks emitted race IDs for multi bets to avoid duplicate emissions. However, there is some repetition across different controllers and potential absence of input validation or error handling in socket emits, which can introduce bugs or unexpected failures. | 09 Jul 2026 |
| e43af628 | 40 | The commit introduces multi-bet exposure calculation, updating, and clearing functionalities with associated routes and model changes. The core logic appears comprehensive and integrates well with existing models. However, quality and security are lowered due to use of console.log for debugging in production code, lack of input validation on incoming request bodies, and no authentication or authorization enforced on internal routes. | 25 May 2026 |
| 33fadfc2 | 70 | This commit introduces validation on selection positions to ensure they are integers within valid bounds and unique, improving data integrity. It also adds detailed exposure calculation logic, focusing on multi-bet position management and winnings exposure, which increases business value. Logging is added, which is good for debugging but could potentially leak sensitive data if not controlled. The addition of sorting mechanisms and default values in schemas enhance consistency. However, some validation and error handling could be strengthened, and the commit message itself lacks detail for traceability and understanding of change context. | 03 Jun 2026 |
| 1d0ddd70 | 30 | Initial commit includes node_modules and .env in .gitignore and adds a large package-lock.json. The commit message is uninformative. Including node_modules in .gitignore is good, but ignoring .env without example files might cause onboarding issues. The package-lock.json inclusion is necessary but noisy in first commit. Lack of source code or project scaffolding limits immediate business value. No code means low bug risk but no security controls are demonstrated. The commit message does not communicate intent or scope. | 31 Mar 2026 |
| 55437bd4 | 60 | Added multi-bet processing functionality with validation, wallet balance checks, market and runner verification, volume checking, exposure updates, and ledger logging. However, the code has some flaws in error handling, race conditions, and validation thoroughness, and the commit message lacks detail. | 01 Apr 2026 |
| 7b37fbf6 | 50 | The commit enhances the HTTP response messages for various error cases when placing a bet, improving user communication and debuggability. However, it uses only 400 status codes without distinguishing between different types of errors, and the commit message is unclear and misspelled. | 01 Apr 2026 |
| 91b2e0a8 | 40 | The commit adds a single line emitting an event 'raceOddsAdmin' with raceId and oddsData via socket 's'. The commit message contains typos and lacks clarity. The change is minimal and does not provide context or error handling, reducing confidence in its value and increasing risk. | 01 Apr 2026 |
| 637b456a | 20 | The commit adds a single import statement for Exposure model in the bet controller. The commit message is vague and does not describe the purpose or context of the change. There is minimal code change, and no functional code or tests have been added, making it hard to assess impact or improvement. | 02 Apr 2026 |
| 1687c2aa | 20 | The commit introduces a console.log statement with a vague message and a function call without context. The commit message is unclear and uninformative. There is potential fake work with trivial logging addition, low business value, and unclear impact on functionality. Security considerations are minimal but not addressed. | 02 Apr 2026 |
| 2915d6b5 | 50 | The commit adds a single line to emit race odds but has a poorly written commit message with typos and lacks contextual information. The code change alone appears minimal, reducing confidence in business value and quality. No contextual checks or error handling in the change increase bug risk. No specific security improvements or risks identified. | 02 Apr 2026 |
| 9f60d0c7 | 60 | The commit adds an async function getTenantExposure for calculating tenant exposure based on raceId and tenantId, apparently for sockets. The code uses mongoose ObjectIds and some aggregation or grouping by market and runner ids. However, the brief commit message lacks detail, and the diff lines suggest some string conversion comparisons that might be brittle or inefficient. The new function is asynchronous, which could indicate usage of DB calls. No security-critical changes are obvious but the logic could be refined. The bug risk is moderate due to loose equals and string conversions in comparing ids. | 02 Apr 2026 |
| 838e3638 | 10 | The commit adds an import statement for two utility functions but does not show any usage or implementation changes relating to tenant exposure calculation on socket as per the commit message. The commit message is vague and does not clearly describe the work done. This makes it hard to assess impact or value and increases the possibility of the commit being incomplete or fake work. | 02 Apr 2026 |
| 1a0ab982 | 70 | Added new field 'odds_type' to Bet model and included it in controller. Basic enum validation is present, but commit message lacks detail and no unit tests or validation logic updates shown. | 02 Apr 2026 |
| 7ed2851d | 70 | The commit introduces logic to set exposure values based on the type of odds ('back' or otherwise). While the changes impact core business calculations, the code lacks comments and variable naming could be clearer. There's some duplication and risk of calculation errors if types or values are incorrect. | 02 Apr 2026 |
| a3473a87 | 60 | The commit implements market exposure handling for place betting markets with various validations and updates to market data. It adds detailed logic for 2, 3, and 4 places markets, modifies exposure calculations, checks wallet balance and volume, and persists changes effectively. However, there are some concerns regarding missing input validation (e.g., user_id is used but not destructured from the request), unclear naming conventions, potential race conditions due to concurrent writes, and security risk about input sanitization and authorization checks. | 06 Apr 2026 |
| c8106ccc | 80 | The commit removes the 'placedBets' and 'failedBets' from the response JSON in the placeBet controller. This reduces the amount of feedback provided to the client about the result of their bet placement, which may lower usability and error handling capabilities. No explicit security issues are introduced. The commit message is vague and does not clearly describe the change. | 06 Apr 2026 |
| d55dc89e | 40 | The commit adds two fields related to bet place exposure check but lacks sufficient context, descriptive commit message, and test coverage. The changes appear minor and unclear without further explanation, increasing the risk of introducing bugs or failing to capture the full business logic. | 06 Apr 2026 |
| 75733824 | 50 | The commit adds detailed validation and exposure calculation logic for 2places, 3places, and 4places market types in the betting controller, enhancing business logic. However, much of the logic for placing bets, updating wallets, and logging is commented out, reducing functional completeness and business value. There is some inconsistent error handling and no clear concurrency control around volume and exposure adjustments, increasing bug risk. The security posture is moderate but could benefit from stricter validation and error sanitization. The commit message is vague and unhelpful, offering low context. The presence of large commented blocks raises concerns about incomplete or fake work. | 06 Apr 2026 |
| f2c0918e | 70 | This commit implements exposure updates and ledger logging for bets on different market types. It introduces complex conditional logic to compute exposure changes and persist updates to the database, along with wallet balance adjustments, bet creation, and ledger entries. | 06 Apr 2026 |
| 7f7d94e8 | 50 | The commit adds an increment of exposure and exposureProfit fields, but lacks context, validation, and proper spacing. The commit message is vague and does not explain the purpose or impact of the change. | 06 Apr 2026 |
| d1f065a7 | 50 | The commit introduces logic to update exposure for different market types, updating the database accordingly. It addresses the business need of tracking betting exposure with conditional logic for places markets. However, the code has some areas where clarity, robustness, and security could be improved, such as error handling, validation, and avoiding possible inconsistent states during parallel updates. | 06 Apr 2026 |
| 0c180743 | 70 | This commit adds a console.log statement to log runner exposure updates. While it provides some minimal debugging information, it lacks context, cleanup, and meaningful changes that improve functionality or security. | 06 Apr 2026 |
| 9fa03cbb | 30 | The commit implements deduction logic for wallet amounts on bet placement with different treatment for 'back' and 'lay' odds types. The code changes capture wallet balance checks and adjustment calculations. However, the commit lacks proper validation, error handling, and contains commented out code blocks from the previous feature version, which adds noise and reduces clarity. Security considerations like input sanitization and authorization checks are not visible in the snippet. The commit message is vague and unprofessional. | 07 Apr 2026 |
| 74746731 | 50 | The commit message is unclear and lacks detail about the changes made. The single line change shown is incomplete, making it difficult to assess the impact on quality, security, or business value. The vague message and partial code change increase the risk of fake work and bugs. | 07 Apr 2026 |
| c4e44398 | 30 | The commit contains a large block of commented-out code simulating a bet placement function with validations, database updates, and calculations. It lacks real implementation, uses inline comments, and has no tests or documentation. The risk of bugs and security issues is moderate due to missing input sanitation and error handling details. Business value is low as no active code or features are added. The commit message is minimal and non-descriptive. | 10 Apr 2026 |
| 90369ff6 | 50 | The commit introduces new computations related to bet exposure and market filtering. However, the commit message is vague and does not explain the purpose or impact of the changes, reducing clarity and maintainability. The code changes appear relevant but lack deeper context and error handling. | 10 Apr 2026 |
| beebd843 | 60 | The commit adds extensive functionality for placing bets with checks for wallet balance, market availability, and odds validation. It also includes exposure calculation and update logic. While the business logic covers key use cases and important validation, the code can be improved for readability, error handling, and security. There is no explicit input sanitization or authorization checks. Some calculations and conditional blocks are complex and could benefit from refactoring. The commit message is too terse. | 11 Apr 2026 |
| 96e76684 | 70 | The commit introduces a single line change to the bet exposure calculation, adjusting the placeReturn value by subtracting the product of odds and stake. While this seemingly addresses a calculation issue, the change is minimal and lacks context or tests. | 11 Apr 2026 |
| 7aacc71f | 60 | This commit introduces a comprehensive bet exposure calculation and applies validations for input fields and wallet balance. It improves the handling of 'back' and 'lay' odds types and updates market odds and exposures accordingly. Although logic appears correct overall, there is risk of bugs due to complex exposure calculations and no clear error handling around database updates. Security is medium as user input is partially validated, but no rate limiting or anti-fraud controls are visible. The fake work risk is low because the code directly impacts core business logic for betting. | 11 Apr 2026 |
| b734896e | 50 | The commit introduces a check to prevent bets on already settled markets by querying the HorseRace model. It handles the absence of race details and restricts betting on settled 'FANCY' and other markets. The schema is left non-strict, providing flexibility for HorseRace documents. However, error handling could be more consistent, and raceId validation is missing. The commit message is minimal and could be more descriptive. | 13 Apr 2026 |
| 98d889c2 | 40 | The commit introduces a new API endpoint to fetch global race profit/loss data between two dates. It validates date inputs, fetches relevant races, maps, and aggregates betting data. The implementation is clear and uses appropriate MongoDB aggregation for calculations. However, there are some improvements possible for robustness, security, and overall clarity. | 15 Apr 2026 |
| 2f001dc2 | 60 | The commit adds incrementing odds and implements a new API endpoint to fetch race profit/loss by agent within a date range. It includes input validation, querying races and bets via aggregation, and formatting results. While the change adds useful business logic, the code lacks comments and modularization. There is some risk from inadequate validation on date format and potential aggregation complexity. Security-wise, the route checks input but could further sanitize or authenticate. The initial odd incrementation part is minimal but unclear. The commit message is brief and vague. | 16 Apr 2026 |