Skip to content
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions coffee_pot.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import sqlite3

# 🚨 Secret issue: hardcoded API key
API_KEY = "sk_test_51H6rSuperSecretKeyDontHardcode12345"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The API key is hardcoded in the source code, which poses a security risk by exposing sensitive information. It should be stored securely, such as in environment variables.


def show_coffee_pot():
print("""

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ad-hoc debug print in show_coffee_pot() writes ASCII art to stdout and appears to be a leftover debug artifact.

Details

🔧 How do I fix it?
Remove debugging statements like console.log, debugger, dd(), or logic bypasses like || true. Keep legitimate logging for monitoring and error handling.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

( (
) )
........
| |]
\ /
`----'
""")

# 🚨 SAST issue #1: SQL Injection risk (unsanitized input in query)
def get_order(user_input):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Function get_order lacks comments describing expected user_input format and sanitization responsibilities.

Details

✨ AI Reasoning
​​1) get_order(user_input) builds and executes an SQL query using user input to fetch orders.
​2) While a SAST comment flags SQL injection risk, there is no comment documenting the expected form of user_input, who supplies it, or whether it must be sanitized/escaped before use; this lack of explanatory comment makes the function's intended use and constraints unclear.
​3) This function is newly added in this diff and therefore its missing documentation is a new issue.

🔧 How do I fix it?
Review your code and add clear, concise comments that explain the 'why' behind complex logic, not just the 'what'. Use meaningful variable and function names to reduce the need for excessive comments. For larger code blocks, consider adding a brief summary comment. Regularly update comments when modifying code to ensure they remain accurate and relevant.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

conn = sqlite3.connect("coffee.db")
cursor = conn.cursor()
query = f"SELECT * FROM orders WHERE customer = '{user_input}'" # vulnerable

@aikido-pr-checks aikido-pr-checks Bot Sep 19, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential SQL injection via string-based query concatenation - critical severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.

Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. As an added layer of protection, we also recommend installing a WAF that blocks SQL injection attacks.
View details in Aikido Security

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SQL query uses unsanitized user input, making it vulnerable to SQL injection attacks. Use parameterized queries to prevent this security risk.

cursor.execute(query)
return cursor.fetchall()

# 🚨 SAST issue #2 + 🚨 Code quality issue: no explanatory comments
def process_payment(card_number):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Function process_payment has no explanatory comment or docstring describing input expectations and return semantics.

Details

✨ AI Reasoning
​​1) process_payment(card_number) validates a credit card number by checking its length and returning True/False.
​2) The function has no explanatory comment or docstring describing expected input format (e.g., digits-only, allowed separators), why the length check is sufficient, or what the return values mean, which harms readability and correct usage.
​3) This is a newly added function in this diff and therefore lacks necessary explanatory comments, so the violation is present.

🔧 How do I fix it?
Review your code and add clear, concise comments that explain the 'why' behind complex logic, not just the 'what'. Use meaningful variable and function names to reduce the need for excessive comments. For larger code blocks, consider adding a brief summary comment. Regularly update comments when modifying code to ensure they remain accurate and relevant.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

if len(card_number) < 16:
return False
return True


if __name__ == "__main__":
show_coffee_pot()
name = input("Enter your name: ")
print(get_order(name))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ad-hoc debug print of get_order(name) in main writes query results to stdout and appears to be a leftover debug artifact.

Details

🔧 How do I fix it?
Remove debugging statements like console.log, debugger, dd(), or logic bypasses like || true. Keep legitimate logging for monitoring and error handling.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

print(process_payment("1234-5678-9012-3456"))