#javascript
Rulesets (41)
r2cScan for runtime errors, logic bugs, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.
Grayson HardawayDefault ruleset, by r2c
r2cScan for runtime errors, logic bugs, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.
r2cScan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
Ajin AbrahamRules from the preeminent Node.js security scanner, NodeJSScan.
Default ruleset for JavaScript, written by ajinabraham, and r2c
Vasilii ErmilovMost common clientside JavaScript XSS vulnerabilities
Grayson HardawaySecure defaults for XSS prevention across 5 different languages
r2cCross-site scripting (XSS) secure defaults for Express.js
Vasilii ErmilovAvoid common JWT security mistakes
r2cRule pack for detecting insecure transport in node js
r2cScan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
r2cA collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.
r2cSecure defaults for XSS prevention
r2cFind common bugs, errors, and logic issues in popular languages.
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Grayson HardawayRuleset accompanying r2c OWASP presentation.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
r2cRule pack for detecting insecure transport in node js
r2cUse recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).
r2cSecure defaults for Command injection prevention across 5 different languages
r2cOmni pack for insecure transport rules
r2celectron desktop app
Default ruleset for Express.js, written by ajinabraham and r2c
eslint rules in Gitlab SAST, written by Gitlab, ajinabraham, and r2c
Vasilii ErmilovInsecure usage of most popular headless browser APIs
Vasilii ErmilovSecure defaults for Command injection prevention
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.
Colleen DaiSQL injection guardrails. Checks for non-constant SQL queries and other SQLi.
Default ruleset for Node.js, written by ajinabraham and r2c
Grayson HardawayRuleset for OWASP SF
r2cThe OWASP Top 10 is an industry-recognized report of top web application security risks. Use this ruleset to scan for OWASP Top 10 vulnerabilities.
Colleen DaiSQL injection guardrails. Checks for non-constant SQL queries and other SQLi.
Rules (423)
Experimental features are not expected to be in production ready applications.
Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
Disabling context isolation can introduce Prototype Pollution vulnerabilities.
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
ajinabrahamFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
ajinabrahamUntrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
ajinabrahamThis application has anti CSRF protection which prevents cross site request forgery attacks.
ajinabrahamContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
ajinabrahamX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
ajinabrahamExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
ajinabrahamFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
ajinabrahamX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
ajinabrahamX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
ajinabrahamDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
ajinabrahamHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
ajinabrahamX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
ajinabrahamContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
ajinabrahamReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
ajinabrahamX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
ajinabrahamThis application has API rate limiting controls.
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
Detected eval(variable), which could allow a malicious actor to run arbitrary code.
Detected non-literal calls to child_process.exec(). This could lead to a command injection vulnerability.
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.
A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.
Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpMake sure that unverified user data can not reach vm.runInNewContext.
returntocorpMake sure that unverified user data can not reach vm.compileFunction.
returntocorpMake sure that unverified user data can not reach vm instance.
returntocorpPath constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.
returntocorpPossible writing outside of the destination, make sure that the target path is nested in the intended destination
returntocorpMake sure that unverified user data can not reach vm.compileFunction.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpMake sure that unverified user data can not reach vm.SourceTextModule.
returntocorpMake sure that unverified user data can not reach vm.runInNewContext.
returntocorpUnrusted data in `sandbox` can result in code injection.
returntocorpUntrusted user input reaching `vm2` can result in code injection.
returntocorpUntrusted user input reaching `vm2` sandbox can result in context injection.
returntocorpUntrusted user input in `vm.runInContext()` can result in code injection.
returntocorpUntrusted user input in `vm.runInNewContext()` can result in code injection.
returntocorpUntrusted user input in `vm.compileFunction()` can result in code injection.
returntocorpUntrusted user input reaching `vm` can result in code injection.
returntocorpUntrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.
returntocorpPossible open redirect
returntocorpPossible writing outside of the destination, make sure that the target path is nested in the intended destination
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpMake sure that unverified user data can not reach vm.runInNewContext.
returntocorpMake sure that unverified user data can not reach vm.Script.
returntocorpMake sure that unverified user data can not reach vm.runInThisContext.
returntocorpMake sure that unverified user data can not reach vm.compileFunction.
returntocorpRemote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
returntocorpRemote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
returntocorpMake sure that unverified user data can not reach `sandbox`.
returntocorpIf unverified user data can reach the `exec` method it can result in Remote Code Execution
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpDetected `express` being required and used, meaning this app uses the ExpressJS web framework.
returntocorpFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
returntocorpX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
returntocorpX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
returntocorpDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
returntocorpHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
returntocorpX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
returntocorpContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
returntocorpReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
returntocorpX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
returntocorpThis application has API rate limiting controls.
returntocorpDisabling context isolation can introduce Prototype Pollution vulnerabilities.
returntocorpMake sure that unverified user data can not reach `$VM`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpExperimental features are not expected to be in production ready applications.
returntocorpUntrusted input concatinated with raw SQL query can result in SQL Injection.
returntocorp`ref` usage found. refs give direct DOM access and may create a possibility for XSS, which could cause sensitive information such as user cookies to be retrieved by an attacker. Instead, avoid direct DOM manipulation or use DOMPurify to sanitize HTML before writing it into the page.
returntocorpMake sure that unverified user data can not reach `sandbox`.
returntocorpDetected user input used in bracket notation accessor. This could lead to object injection through $FIELD, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input.
returntocorpDetected setting HTML from code. This is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack. This can lead to attackers accessing sensitive information. Instead, do this without dangerouslySetInnerHTML or use DOMPurify to santize your HTML.
returntocorpError messages with stack traces can expose sensitive information about the application.
returntocorpError messages with stack traces may expose sensitive information about the application.
returntocorpFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
returntocorpThis application has anti CSRF protection which prevents cross site request forgery attacks.
returntocorpContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
returntocorpX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
returntocorpExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
returntocorpA hardcoded secret is identified. Store it properly in an environment variable.
returntocorpA hardcoded username in plain text is identified. Store it properly in an environment variable.
returntocorpApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
returntocorpBlink's experimental features are enabled in this application. Some of the features may affect the security of the application.
ajinabrahamMD5 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamSHA1 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
ajinabrahamAES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.
ajinabrahamA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
ajinabrahamcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
ajinabrahamString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
ajinabrahamSetting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
ajinabrahamSSL Certificate verification for node-curl is disabled.
ajinabrahamUntrusted user input in findOne() function can result in NoSQL Injection.
ajinabrahamUntrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.
returntocorpNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
returntocorpHardcoded JWT secret or private key was found. Store it properly in an environment variable.
returntocorpHardcoded JWT secret was found. Store it properly in an environment variable.
ajinabrahamThe Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.
ajinabrahamThe Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.
returntocorpUser controlled data is used for application business logic decision making. This expose protected data or functionality.
ajinabrahamThe Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.
ajinabrahamUntrusted input concatinated with raw SQL query can result in SQL Injection.
ajinabrahamUntrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
ajinabrahamPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
ajinabrahamLayer7 Denial of Service. Looping over user controlled objects can result in DoS.
returntocorpUser controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
returntocorpDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
ajinabrahamEnsure that the regex used to compare with user supplied input is safe from regular expression denial of service.
ajinabrahamUser controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
ajinabrahamDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
ajinabrahamApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
ajinabrahamBlink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
ajinabrahamNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
ajinabrahamDisabling context isolation can introduce Prototype Pollution vulnerabilities.
ajinabrahamExperimental features are not expected to be in production ready applications.
returntocorpString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
ajinabrahamFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
ajinabrahamUser controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection
returntocorpMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
ajinabrahamUntrusted user input in `require()` function allows an attacker to load arbitrary code.
returntocorpUntrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
ajinabrahamUnrusted data in `sandbox` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` sandbox can result in context injection.
ajinabrahamUntrusted user input in `vm.runInContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.runInNewContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.compileFunction()` can result in code injection.
ajinabrahamUntrusted user input reaching `vm` can result in code injection.
ajinabrahamUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
ajinabrahamUntrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.
ajinabrahamUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
ajinabrahamUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
ajinabrahamError messages with stack traces can expose sensitive information about the application.
ajinabrahamError messages with stack traces may expose sensitive information about the application.
ajinabrahamHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
ajinabrahamA hardcoded password in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded username in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded API Key is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded secret is identified. Store it properly in an environment variable.
ajinabrahamUser controlled data is used for application business logic decision making. This expose protected data or functionality.
ajinabrahamConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
ajinabrahamDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
ajinabrahamDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
ajinabrahamSession middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
ajinabrahamDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
ajinabrahamDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
ajinabrahamSession middleware settings: `maxAge` not set. Use it to set expiration date for cookies.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamOne or more Security Response header is explicitly disabled in Helmet.
ajinabrahamUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamUsing untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.
ajinabrahamPassword is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
ajinabrahamThe object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
ajinabrahamHardcoded JWT secret or private key was found. Store it properly in an environment variable.
ajinabrahamHardcoded JWT secret was found. Store it properly in an environment variable.
ajinabrahamAlgorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
ajinabrahamNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
ajinabrahamDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
ajinabrahamUntrusted user input in redirect() can result in Open Redirect vulnerability.
ajinabrahamUntrusted user input in response header('Location') can result in Open Redirect vulnerability.
ajinabrahamUser controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).
ajinabrahamIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamUser controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).
ajinabrahamUser controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read when hbs templating is used.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
ajinabrahamUntrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
ajinabrahamPath constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.
ajinabrahamUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
ajinabrahamUser controlled data in xpath.parse() can result in XPATH injection vulnerability.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamUser controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities
ajinabrahamUse of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
ajinabrahamUntrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
ajinabrahamUntrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
ajinabrahamDisabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
returntocorpThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
returntocorpUser controlled data in a HTML string may result in XSS
returntocorpBracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpUser data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
returntocorpDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
returntocorpUser controlled data in eval() or similar functions may result in Code Injection
returntocorpA variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.
returntocorpRegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.
returntocorpIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.
returntocorpPossibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpPossibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpPossibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpDetected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpIf user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.
returntocorpUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
returntocorpThis HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information.
returntocorpInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
returntocorpInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
returntocorpMD5 is a a weak hash which is known to have collision. Use a strong hashing function.
returntocorpSHA1 is a a weak hash which is known to have collision. Use a strong hashing function.
returntocorpAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
returntocorpA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
returntocorpcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
returntocorpUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpUser controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection
returntocorpUntrusted user input in `require()` function allows an attacker to load arbitrary code.
returntocorpUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
returntocorpUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
returntocorpUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
returntocorpPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
returntocorpHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
returntocorpA hardcoded password in plain text is identified. Store it properly in an environment variable.
returntocorpA hardcoded API Key is identified. Store it properly in an environment variable.
returntocorpConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
returntocorpDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
returntocorpDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
returntocorpDefault session middleware settings: `httpOnly` not set. It ensures the sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
returntocorpDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
returntocorpDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
returntocorpDefault session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.