harry0703/moneyprinterturbo

Dockerfile copies the entire context without .dockerignore

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.

[MINED106] Phantom test coverage: test_ollama_default_base_url_uses_localhost_outside_container: Test function `test_ollama_default_base_url_uses_localhost_outside_container` runs code but contains n…

[MINED106] Phantom test coverage: test_ollama_default_base_url_uses_host_gateway_inside_container: Test function `test_ollama_default_base_url_uses_host_gateway_inside_container` runs code but contai…

[MINED106] Phantom test coverage: test_ollama_default_base_url_falls_back_to_container_gateway: Test function `test_ollama_default_base_url_falls_back_to_container_gateway` runs code but contains no …

[MINED106] Phantom test coverage: test_ollama_explicit_base_url_takes_precedence: Test function `test_ollama_explicit_base_url_takes_precedence` runs code but contains no assert / expect / should cal…

[MINED106] Phantom test coverage: test_task_local_materials: Test function `test_task_local_materials` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_generate_script_forwards_advanced_prompt_options` of class `TestTaskService` reads `self.assertEqual`, but no assignmen…

[MINED108] `self.original_app_config` used but never assigned in __init__: Method `setUp` of class `TestSecurityControls` reads `self.original_app_config`, but no assignment to it exists in __init__ …

[MINED108] `self.original_app_config` used but never assigned in __init__: Method `tearDown` of class `TestSecurityControls` reads `self.original_app_config`, but no assignment to it exists in __init…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_task_query_returns_relative_task_url_without_mutating_state` of class `TestSecurityControls` reads `self.assertEqual`, …

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_task_query_returns_relative_task_url_without_mutating_state` of class `TestSecurityControls` reads `self.assertEqual`, …

[MINED108] `self.assertRaises` used but never assigned in __init__: Method `test_in_memory_task_manager_rejects_when_queue_is_full` of class `TestSecurityControls` reads `self.assertRaises`, but no a…

[MINED108] `self.test_img_path` used but never assigned in __init__: Method `setUp` of class `TestVideoService` reads `self.test_img_path`, but no assignment to it exists in __init__ (and no class-le…

[MINED108] `self.test_img_path` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.test_img_path`, but no assignment to it exists in __init__ …

[MINED108] `self.test_img_path` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.test_img_path`, but no assignment to it exists in __init__ …

[MINED108] `self.fail` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.fail`, but no assignment to it exists in __init__ (and no class-leve…

[MINED108] `self.test_img_path` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.test_img_path`, but no assignment to it exists in __init__ …

[MINED108] `self.assertIsNotNone` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.assertIsNotNone`, but no assignment to it exists in __ini…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.assertEqual`, but no assignment to it exists in __init__ (and…

[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_preprocess_video` of class `TestVideoService` reads `self.assertTrue`, but no assignment to it exists in __init__ (and n…

[MINED108] `self.test_img_path` used but never assigned in __init__: Method `test_preprocess_video_rejects_material_outside_local_videos` of class `TestVideoService` reads `self.test_img_path`, but n…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_preprocess_video_rejects_material_outside_local_videos` of class `TestVideoService` reads `self.assertEqual`, but no as…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_get_bgm_file_accepts_song_directory_filename` of class `TestVideoService` reads `self.assertEqual`, but no assignment t…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_get_bgm_file_accepts_project_relative_song_path` of class `TestVideoService` reads `self.assertEqual`, but no assignmen…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_get_bgm_file_rejects_path_outside_song_directory` of class `TestVideoService` reads `self.assertEqual`, but no assignme…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_get_ffmpeg_binary_uses_configured_env_path` of class `TestVideoService` reads `self.assertEqual`, but no assignment to …

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_get_ffmpeg_binary_falls_back_to_imageio_ffmpeg` of class `TestVideoService` reads `self.assertEqual`, but no assignment…

[MINED108] `self.fail` used but never assigned in __init__: Method `test_open_video_clip_quietly_suppresses_moviepy_stdout` of class `TestVideoService` reads `self.fail`, but no assignment to it exis…

[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_open_video_clip_quietly_suppresses_moviepy_stdout` of class `TestVideoService` reads `self.assertEqual`, but no assignm…

[MINED108] `self.assertIsNone` used but never assigned in __init__: Method `test_open_video_clip_quietly_suppresses_moviepy_stdout` of class `TestVideoService` reads `self.assertIsNone`, but no assig…

[MINED108] `self.assertGreater` used but never assigned in __init__: Method `test_open_video_clip_quietly_suppresses_moviepy_stdout` of class `TestVideoService` reads `self.assertGreater`, but no ass…

[MINED112] FastAPI POST /scripts has no auth: Handler `generate_video_script` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the f…

[MINED112] FastAPI POST /terms has no auth: Handler `generate_video_terms` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the func…

[MINED112] FastAPI POST /videos has no auth: Handler `create_video` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function bo…

[MINED112] FastAPI POST /subtitle has no auth: Handler `create_subtitle` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the functi…

[MINED112] FastAPI POST /audio has no auth: Handler `create_audio` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function bod…

[MINED112] FastAPI DELETE /tasks/{task_id} has no auth: Handler `delete_video` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in th…

[MINED112] FastAPI POST /musics has no auth: Handler `upload_bgm_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function…

[MINED112] FastAPI POST /video_materials has no auth: Handler `upload_video_material_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker app…

[MINED118] Dockerfile FROM `python:3.11-slim-bullseye` not pinned by digest: `FROM python:3.11-slim-bullseye` resolves the tag at build time. The registry CAN re-push a different image for the same t…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, p…

[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.

[COMP001] High cognitive complexity: Function `save_video` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested b…

[COMP001] High cognitive complexity: Function `download_videos` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nes…

No CI/CD configuration found

Docker final stage has no non-root USER

Docker build context has no .dockerignore

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.

[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…

[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…

Public web service has no security.txt

[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

[COMP001] High cognitive complexity: Function `get_container_default_gateway_ip` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to…

[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…

[COMP001] High cognitive complexity (and 8 more): Same pattern found in 8 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.

[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.

[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.

[MINED079] Off By One Slice: range(len(x)+1), arr[i+1:i+n+1], or while i<=len(arr) — off-by-one risk.