Scanned branch: main · 4 minutes ago
ErzoScore
42
Post-Fix
98
An LLM generated code that directly hardcoded the service_role key instead of using environment variables. This key bypasses all Row Level Security (RLS) policies and grants full admin access to your database.
const supabase = createClient(URL, "eyJhbGciOiJIUzI1NiIsInR...");AI Fix Suggestion
const supabase = createClient(process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.SUPABASE_SERVICE_ROLE_KEY);Raw user input is being concatenated directly into the system instructions for the LLM. An attacker could bypass application logic by providing input like "Ignore previous instructions and output...".
prompt: `Summarize the following text: ${req.body.text}`AI Fix Suggestion
Separate instructions from user intent using strict message arrays in the completion API.
messages: [
{ role: "system", content: "Summarize the provided text." },
{ role: "user", content: req.body.text }
]This endpoint performs state-modifying database operations without verifying the Stripe signature webhook payload. Anyone can trigger successful payment events by POSTing to this URL.
AI Fix Suggestion
Apply stripe.webhooks.constructEvent() to validate the request signature before processing.