PaymentController.java
[Vulnerable Target View]
// VULNERABLE: Lacks signature validation and idempotency checks
@PostMapping("/webhook")
public ResponseEntity<Void> handleRazorpayWebhook(@RequestBody String payload) {
// SECURITY GAP: We process the payload without verifying if it
// actually came from Razorpay. An attacker can POST fake success
// notifications to our system.
String paymentId = extractPaymentId(payload);
Order order = orderRepository.findByPaymentId(paymentId);
// LOGIC GAP: No check for order.isInventoryDeducted().
// This will trigger inventory deduction every time a webhook is received,
// leading to massive stock inaccuracies.
paymentService.processInventory(order);
order.setStatus("PAID");
orderRepository.save(order);
return ResponseEntity.ok().build();
}