eslint-plugin-security

javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression

semgrep

Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.

javascript.lang.security.detect-child-process.detect-child-process

semgrep

Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.

javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape

semgrep

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes

semgrep

Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.

javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert

semgrep

Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.

javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override

semgrep

Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.