Prompt Details
Model
Chat - (gpt-5.5)
Token size
408
Example input
[PASTE YOUR PYTHON CODE HERE]: Review this Django payment processing view for security issues. Python 3.10, Django 4.2: def process_payment(request): amount = request.POST.get("amount") card_number = request.POST.get("card") user_id = request.POST.get("user_id") result = stripe.charge(amount=amount, card=card_number) Payment.objects.create(user_id=user_id, amount=amount, result=result) return JsonResponse({"status": "ok"})
Example output
Code Review — Python 3.10 / Django 4.2
CRITICAL — Security: Missing Authentication
Problem: process_payment has no authentication check. Any unauthenticated user can POST to this endpoint and trigger a charge.
Fix: Add @login_required and replace the POST user_id with request.user.id:
from django.contrib.auth.decorators import login_required
@login_required
def process_payment(request):
user_id = request.user.id # Never read user identity from POST data
CRITICAL — Security: User Impersonation
Problem: Line 3 reads user_id from request.POST. Any logged-in user can set user_id to another user's ID and create payments attributed to them.
Fix: Always use request.user.id for the current user. Remove user_id from POST entirely.
CRITICAL — Security: No Input Validation on Amount
Problem: amount is received as a raw string and passed directly to stripe.charge. A malicious user can send "0", "-100", or a very large number.
Fix:
try:
amount = int(request.POST.get("amount", 0))
if amount <= 0 or amount > 999999:
return JsonResponse({"error": "invalid amount"}, status=400)
except ValueError:
return JsonResponse({"error": "invalid amount"}, status=400)
WARNING — No Error Handling for Stripe Failures
Problem: If stripe.charge raises an exception — card decline, network failure — the exception propagates as a 500 error. The charge may have been initiated but Payment.objects.create was never called.
Fix:
try:
result = stripe.charge(amount=amount, card=card_number)
except stripe.error.CardError:
return JsonResponse({"error": "card declined"}, status=402)
except stripe.error.StripeError:
return JsonResponse({"error": "payment failed"}, status=500)
Summary: 3 CRITICAL, 1 WARNING. This endpoint is actively exploitable — do not deploy without fixing authentication and user impersonation first.
By purchasing this prompt, you agree to our terms of service
GPT-5.5
Senior Python reviewer that analyzes your code for bugs, performance issues, security vulnerabilities, and style violations. Returns corrected code with explanations. Covers FastAPI, Django, SQLAlchemy, async patterns. Saves hours of debugging.
...more
Updated 3 weeks ago
