trailofbits
Rules (73)
Potential goroutine leak due to unbuffered channel send inside loop or unbuffered channel receive in select block
Potential `$FOO` nil dereference when `$BAR` is called
Appending `$SLICE` from multiple goroutines is not concurrency safe
Writing `$MAP` from multiple goroutines is not concurrency safe
The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service
Downcasting or changing sign of an integer with `$CAST_METHOD` method
A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended
Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait` waiting for more or less calls to `$WG.Done()` than expected
Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`
Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker
Found container command (docker, podman) with extended privileges
Found container command running as root
Found `curl` command disabling SSL verification
Found `curl` command with unencrypted URL (e.g. HTTP, FTP, etc.)
Found `gpg` command using insecure flags
Found `installer` command allowing untrusted installations
Found `openssl` command using insecure flags
Found `ssh` command disabling host key checking
Found `tar` command using insecure flags
Found `wget` command disabling SSL verification
Found `wget` command with unencrypted URL (e.g. HTTP, FTP, etc.)
Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference
Iteration over a possibly empty map `$C`. This is likely a bug or redundant code
Missing `RUnlock` on an `RWMutex` lock before returning from a function
Missing mutex unlock before returning from a function. This could result in panics resulting from double lock operations
The function is vulnerable to DLL hijacking attacks. Use `windows.NewLazySystemDLL()` function to limit DLL search to the Windows directory
The Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4.
The Apollo GraphQL server is using the graphql-upload library. This library allows file uploads using POSTs with content-type: multipart/form-data, which can enable to CSRF attacks. Ensure that you are enabling CSRF protection if you really need to use graphql-upload .
The Apollo GraphQL server is setup with a CORS policy that does not deny all origins. Carefully review the origins to see if any of them are incorrectly setup (third-party websites, bad regexes, functions that reflect every origin, etc.).
The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws.
The Apollo GraphQL server lacks a CORS policy. By default, the server uses the Access-Control-Allow-Origin HTTP header with the wildcard value (*).
The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws.
The Apollo GraphQL server lacks a CORS policy. By default, the batteries-included apollo-server package serves the Access-Control-Allow-Origin HTTP header with the wildcard value (*).
The Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks.
The Apollo GraphQL server sets the 'csrfPrevention' option to false. This can enable CSRF attacks.
Calling `gc` suggests to the JVM that the garbage collector should be run, and memory should be reclaimed. This is only a suggestion, and there is no guarantee that anything will happen. Relying on this behavior for correctness or memory management is an anti-pattern.
Found MongoDB client with SSL hostname verification disabled
If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency
Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks
NumPy distutils is deprecated, and will be removed in the future
Compiling arbitrary code can result in code execution. Ensure the source code is from a trusted location
Using the NumPy RNG inside of a PyTorch dataset can lead to a number of issues with loading data, including identical augmentations. Instead, use the random number generators built into Python and PyTorch
Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading
Loading custom operator libraries can result in arbitrary code execution
Loading custom operator libraries can result in arbitrary code execution
Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method
Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method
Functions reliant on pickle can result in arbitrary code execution
Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX
Loading custom operator libraries can result in arbitrary code execution
Avoid importing torch.package - it can result in arbitrary code execution via pickle
Avoid using `torch.Tensor()` to directly create a tensor for efficiency and proper parsing
Scikit `joblib` uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. Consider using `skops` instead.
Loading custom operator libraries can result in arbitrary code execution
Not waiting for requests is a source of undefined behavior
`expect` or `unwrap` called in function returning a `Result`
Found apt key download with unencrypted URL (e.g. HTTP, FTP, etc.)
Found apt key with SSL verification disabled
Found apt deb with unencrypted URL (e.g. HTTP, FTP, etc.)
Found dnf download with unencrypted URL (e.g. HTTP, FTP, etc.)
Found dnf with SSL verification disabled
Found file download with unencrypted URL (e.g. HTTP, FTP, etc.)
Found file download with SSL verification disabled
Found RPM key download with unencrypted URL (e.g. HTTP, FTP, etc.)
Found RPM key with SSL verification disabled
Found unarchive download with unencrypted URL (e.g. HTTP, FTP, etc.)
Found unarchive download with SSL verification disabled
Found Windows Remote Management connection with certificate validation disabled
Found yum download with unencrypted URL (e.g. HTTP, FTP, etc.)
Found yum with SSL verification disabled
Found Zypper repository with unencrypted URL (e.g. HTTP, FTP, etc.)
Found Zypper package with unencrypted URL (e.g. HTTP, FTP, etc.)
Service port is exposed on all interfaces