Interactive Demo

Vibe Code Cleanup

Your team built it with AI. We make it safe. See how our review process finds critical security issues in AI-generated code and delivers a hardened, production-ready version with expert guidance.

app.py (AI-generated with Cursor) 14 ISSUES FOUND

1  from flask import Flask, request, jsonify
2  import sqlite3
3  import openai
4
5  app = Flask(__name__)
6
7  API_KEY = "sk-proj-abc123def456ghi789"   # CRITICAL: Hardcoded API key
8  DB_PASSWORD = "admin123"   # CRITICAL: Hardcoded DB password
9  SECRET_KEY = "mysecretkey" # CRITICAL: Weak secret key
10
11 @app.route('/api/search')
12 def search():
13     query = request.args.get('q')
14     conn = sqlite3.connect('data.db')
15     results = conn.execute(f"SELECT * FROM customers WHERE name LIKE '%{query}%'") # SQL INJECTION
16     return jsonify([dict(r) for r in results])
17
18 @app.route('/api/user', methods=['POST'])
19 def create_user():
20     data = request.json   # No validation
21     conn = sqlite3.connect('data.db')
22     conn.execute(f"INSERT INTO users VALUES ('{data['name']}', '{data['email']}', '{data['password']}')") # SQL INJECTION + PLAINTEXT PASSWORD
23     return jsonify({"status": "ok"})
24
25 @app.route('/api/admin')
26 def admin():   # No authentication check!
27     conn = sqlite3.connect('data.db')
28     users = conn.execute("SELECT * FROM users").fetchall()
29     return jsonify([dict(u) for u in users])
30
31 if __name__ == '__main__':
32     app.run(debug=True, host='0.0.0.0') # Debug mode + exposed to network

Critical

High

Medium

Low

CRITICAL

Hardcoded API Key (Line 7)

OpenAI API key exposed in source code. Anyone with repository access can use this key to make API calls at your expense. If committed to GitHub, bots will find it within minutes.

CRITICAL

Hardcoded Database Password (Line 8)

Database credentials in plain text. Combined with a weak password ("admin123"), this gives attackers direct database access.

CRITICAL

SQL Injection (Lines 15, 22)

User input inserted directly into SQL queries using f-strings. An attacker can extract, modify, or delete the entire database with a single crafted request.

CRITICAL

No Authentication on Admin Route (Line 26)

The /api/admin endpoint returns all user records including passwords with zero authentication. Anyone can access it.

CRITICAL

Plaintext Password Storage (Line 22)

User passwords stored in plaintext. If the database is compromised, every user's password is immediately available.

HIGH

Debug Mode Enabled (Line 32)

Flask debug mode exposes the interactive debugger, allowing remote code execution. Combined with host='0.0.0.0', the app is accessible on all network interfaces.

HIGH