code-sage-code-review/test-example.js at main · BLEND360/code-sage-code-review · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// Test file to verify AI review features
// This file contains intentional issues at different severity levels

const express = require('express');
const app = express();

// 🔴 CRITICAL: Hardcoded API key (security vulnerability)
const API_KEY = 'sk-1234567890abcdef';
const DATABASE_PASSWORD = 'admin123';

// 🟠 HIGH: Missing error handling
function fetchUserData(userId) {
    const response = fetch(`https://api.example.com/users/${userId}`);
    return response.json(); // No error handling!
}

// 🟠 HIGH: SQL injection vulnerability
function getUserByEmail(email) {
    const query = `SELECT * FROM users WHERE email = '${email}'`;
    return db.query(query); // Direct string interpolation!
}

// 🟡 MEDIUM: Code duplication
function calculateTotalPrice(items) {
    let total = 0;
    for (let i = 0; i < items.length; i++) {
        total += items[i].price * items[i].quantity;
    }
    return total;
}

function calculateTotalWithTax(items, taxRate) {
    let total = 0;
    for (let i = 0; i < items.length; i++) {
        total += items[i].price * items[i].quantity;
    }
    return total * (1 + taxRate);
}

// 🟢 LOW: Using console.log in production
app.get('/api/users', (req, res) => {
    console.log('Fetching users...'); // Should use proper logging

    const users = fetchUserData(req.query.id);
    res.json(users);
});

// 🟡 MEDIUM: No input validation
app.post('/api/login', (req, res) => {
    const { username, password } = req.body;
    // No validation of username or password!
    authenticateUser(username, password);
});

// 🟠 HIGH: Async function without await or promise handling
async function processPayment(orderId) {
    const order = getOrder(orderId);
    const payment = chargeCard(order.total);
    updateOrderStatus(orderId, 'paid');
}

// ✅ GOOD: This function is well-written
async function getOrderById(orderId) {
    try {
        if (!orderId || typeof orderId !== 'string') {
            throw new Error('Invalid order ID');
        }

        const order = await db.orders.findById(orderId);

        if (!order) {
            throw new Error('Order not found');
        }

        return order;
    } catch (error) {
        console.error('Error fetching order:', error);
        throw error;
    }
}

app.listen(3000);