Convoro
← Back to extensions

Giveaways

Run provably-fair giveaways in your community. Members enter with one click; a commit–reveal seed makes every draw verifiable, and giveaways with an end time draw their winner auto...

Run provably-fair giveaways in your community. Members enter with one click; a commit–reveal seed makes every draw verifiable, and giveaways with an end time draw their winner automatically. Includes a sidebar widget, a public giveaways page with a built-in fairness verifier, and a themed admin manager.

AI security review

Reviewed safe · 94/100
A well-structured giveaways extension using standard Laravel/Convoro patterns with parameterized queries, proper authorization middleware on admin routes, output escaping, and a sound commit-reveal fairness scheme. No RCE, SSRF, hardcoded credentials, or data exfiltration found.
  • low · safeImage allows arbitrary external http(s) URLs — In src/Extension.php, safeImage() permits any http://, https://, or root-relative URL for the giveaway image, which is rendered as a CSS background-image on the public/admin pages and forum sidebar. This allows loading arbitrary external resources (e.g. tracking pixels / IP-logging via referer). Admin-only input mitigates impact, but it is not restricted to the site's own uploads.
  • low · Opportunistic auto-draw on public endpoint — The public /api/ext/giveaways/active route calls Draw::drawDue() on every request, running extra queries per unauthenticated hit. Operations are transactional/idempotent so it is safe, but high traffic could add DB load.

Automated review of v1.2.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.