Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
Detected non-literal calls to child_process.exec(). This could lead to a command injection vulnerability.
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
Detected eval(variable), which could allow a malicious actor to run arbitrary code.
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.
Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.
Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.
String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
Detects instances of new Buffer(argument) where argument is any non-literal value which could cause memory leak. Recommended usage is `Buffer.from()` or `Buffer.alloc()`.