#javascript
Rulesets (37)
r2cScan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
Ajin AbrahamRules from the preeminent Node.js security scanner, NodeJSScan.
r2cDefault ruleset for JavaScript, curated by r2c.
Vasilii ErmilovMost common clientside JavaScript XSS vulnerabilities
r2cDefault ruleset for TypeScript, curated by r2c.
r2cCross-site scripting (XSS) secure defaults for Express.js
r2cRule pack for detecting insecure transport in node js
r2cScan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
r2cA collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.
r2cSecure defaults for XSS prevention
r2cFind common bugs, errors, and logic issues in popular languages.
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
r2cRules for detecting secrets checked into version control
Grayson HardawayRuleset accompanying r2c OWASP presentation.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
r2cRule pack for detecting insecure transport in node js
r2cUse recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).
r2cOmni pack for insecure transport rules
r2celectron desktop app
r2cDefault ruleset for Express.js, written by r2c.
eslint rules in Gitlab SAST, written by Gitlab, ajinabraham, and r2c
Vasilii ErmilovInsecure usage of most popular headless browser APIs
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Vasilii ErmilovSecure defaults for Command injection prevention
A ruleset of javascript and typescript rules made for OWASP Juice Shop.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.
Colleen DaiSQL injection guardrails. Checks for non-constant SQL queries and other SQLi.
r2cDefault ruleset for Node.js, curated by r2c.
Grayson HardawayRuleset for OWASP SF
Rules (482)
Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
Experimental features are not expected to be in production ready applications.
Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
Disabling context isolation can introduce Prototype Pollution vulnerabilities.
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
ajinabrahamFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
ajinabrahamUntrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
ajinabrahamThis application has anti CSRF protection which prevents cross site request forgery attacks.
ajinabrahamContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
ajinabrahamX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
ajinabrahamExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
ajinabrahamFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
ajinabrahamX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
ajinabrahamX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
ajinabrahamDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
ajinabrahamHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
ajinabrahamX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
ajinabrahamContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
ajinabrahamReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
ajinabrahamX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
ajinabrahamThis application has API rate limiting controls.
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
Detected eval(variable), which could allow a malicious actor to run arbitrary code.
Detected non-literal calls to child_process.exec(). This could lead to a command injection vulnerability.
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.
Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach vm.runInNewContext.
returntocorpMake sure that unverified user data can not reach vm.compileFunction.
returntocorpMake sure that unverified user data can not reach vm instance.
returntocorpPath constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.
returntocorpUnrusted data in `sandbox` can result in code injection.
returntocorpUntrusted user input in `vm.runInNewContext()` can result in code injection.
returntocorpUntrusted user input reaching `vm2` can result in code injection.
returntocorpUntrusted user input in `vm.compileFunction()` can result in code injection.
returntocorpUntrusted user input reaching `vm` can result in code injection.
returntocorpUntrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.
returntocorpUntrusted user input reaching `vm2` sandbox can result in context injection.
returntocorpUntrusted user input in `vm.runInContext()` can result in code injection.
returntocorpContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
returntocorpReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
returntocorpX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
returntocorpThis application has API rate limiting controls.
returntocorpDisabling context isolation can introduce Prototype Pollution vulnerabilities.
returntocorpExperimental features are not expected to be in production ready applications.
returntocorpUntrusted input concatinated with raw SQL query can result in SQL Injection.
returntocorpFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
returntocorpX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
returntocorpX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
returntocorpDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
returntocorpHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
returntocorpX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
returntocorpA hardcoded secret is identified. Store it properly in an environment variable.
returntocorpError messages with stack traces can expose sensitive information about the application.
returntocorpError messages with stack traces may expose sensitive information about the application.
returntocorpBlink's experimental features are enabled in this application. Some of the features may affect the security of the application.
ajinabrahamMD5 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamSHA1 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
ajinabrahamAES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.
ajinabrahamA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
ajinabrahamcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
ajinabrahamString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
ajinabrahamSetting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
returntocorpUser controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
returntocorpDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
ajinabrahamEnsure that the regex used to compare with user supplied input is safe from regular expression denial of service.
returntocorpString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
ajinabrahamUntrusted user input in `require()` function allows an attacker to load arbitrary code.
returntocorpUntrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
ajinabrahamUnrusted data in `sandbox` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` can result in code injection.
ajinabrahamError messages with stack traces can expose sensitive information about the application.
ajinabrahamError messages with stack traces may expose sensitive information about the application.
ajinabrahamHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
ajinabrahamA hardcoded password in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded username in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded API Key is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded secret is identified. Store it properly in an environment variable.
ajinabrahamUser controlled data is used for application business logic decision making. This expose protected data or functionality.
ajinabrahamDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
ajinabrahamSession middleware settings: `maxAge` not set. Use it to set expiration date for cookies.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamOne or more Security Response header is explicitly disabled in Helmet.
ajinabrahamUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamUsing untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.
ajinabrahamPassword is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
ajinabrahamHardcoded JWT secret or private key was found. Store it properly in an environment variable.
ajinabrahamHardcoded JWT secret was found. Store it properly in an environment variable.
ajinabrahamAlgorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
ajinabrahamNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
ajinabrahamUser controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).
ajinabrahamIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamUser controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).
ajinabrahamUser controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read when hbs templating is used.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
ajinabrahamUntrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
ajinabrahamUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamUser controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities
ajinabrahamUse of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
ajinabrahamThe Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.
ajinabrahamThe Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.
ajinabrahamThe Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.
ajinabrahamUntrusted input concatinated with raw SQL query can result in SQL Injection.
ajinabrahamUntrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
ajinabrahamLayer7 Denial of Service. Looping over user controlled objects can result in DoS.
ajinabrahamUser controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection
ajinabrahamUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
ajinabrahamUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
ajinabrahamThe object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
ajinabrahamDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
ajinabrahamUntrusted user input in redirect() can result in Open Redirect vulnerability.
ajinabrahamUntrusted user input in response header('Location') can result in Open Redirect vulnerability.
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamPath constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.
ajinabrahamUser controlled data in xpath.parse() can result in XPATH injection vulnerability.
ajinabrahamUntrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
ajinabrahamUntrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
ajinabrahamDisabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
returntocorpUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
returntocorpFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
returntocorpThis application has anti CSRF protection which prevents cross site request forgery attacks.
returntocorpContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
returntocorpX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
returntocorpExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
ajinabrahamSSL Certificate verification for node-curl is disabled.
ajinabrahamUntrusted user input in findOne() function can result in NoSQL Injection.
ajinabrahamUntrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.
returntocorpNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
returntocorpHardcoded JWT secret or private key was found. Store it properly in an environment variable.
returntocorpHardcoded JWT secret was found. Store it properly in an environment variable.
returntocorpUser controlled data is used for application business logic decision making. This expose protected data or functionality.
ajinabrahamPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
ajinabrahamUser controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
ajinabrahamDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
ajinabrahamApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
ajinabrahamBlink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
ajinabrahamNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
ajinabrahamDisabling context isolation can introduce Prototype Pollution vulnerabilities.
ajinabrahamExperimental features are not expected to be in production ready applications.
ajinabrahamUntrusted user input reaching `vm2` sandbox can result in context injection.
ajinabrahamUntrusted user input in `vm.runInContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.runInNewContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.compileFunction()` can result in code injection.
ajinabrahamUntrusted user input reaching `vm` can result in code injection.
ajinabrahamUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
ajinabrahamUntrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.
ajinabrahamConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
ajinabrahamDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
ajinabrahamDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
ajinabrahamSession middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
ajinabrahamDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
returntocorpDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
returntocorpMD5 is a a weak hash which is known to have collision. Use a strong hashing function.
returntocorpSHA1 is a a weak hash which is known to have collision. Use a strong hashing function.
returntocorpAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
returntocorpUntrusted user input in `require()` function allows an attacker to load arbitrary code.
returntocorpUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
returntocorpUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
returntocorpUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
returntocorpPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
returntocorpHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
returntocorpA hardcoded password in plain text is identified. Store it properly in an environment variable.
returntocorpA hardcoded API Key is identified. Store it properly in an environment variable.
returntocorpConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
returntocorpDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
returntocorpDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
returntocorpDefault session middleware settings: `httpOnly` not set. It ensures the sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
returntocorpDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
returntocorpDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
returntocorpDefault session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
returntocorpOne or more Security Response header is explicitly disabled in Helmet.
returntocorpX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
returntocorpX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
returntocorpUsing untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.
returntocorpPassword is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
returntocorpThe object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
returntocorpAlgorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
returntocorpNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
returntocorpLayer7 Denial of Service. Looping over user controlled objects can result in DoS.
returntocorpUntrusted user input in findOne() function can result in NoSQL Injection.
returntocorpUntrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.
returntocorpUntrusted user input in redirect() can result in Open Redirect vulnerability.
returntocorpUntrusted user input in response header('Location') can result in Open Redirect vulnerability.
returntocorpUntrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
returntocorpUser controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).
returntocorpIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.
returntocorpIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
returntocorpSSL Certificate verification for node-curl is disabled.
returntocorpIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
returntocorpUser controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).
returntocorpUser controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).
returntocorpSetting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
returntocorpUser controlled data in xpath.parse() can result in XPATH injection vulnerability.
returntocorpUntrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
returntocorpHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
returntocorpDisabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilities.
returntocorpHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
returntocorpMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
returntocorpUser controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpUse of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
returntocorpMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
returntocorpUntrusted user input in rendering reactHTMLParser can lead to an XSS
returntocorpIf the $translateSanitization.useStrategy is set to null or blank this can be dangerous.
returntocorp`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.
returntocorpfound alert() call; should this be in production code?
returntocorpfound debugger call; should this be in production code?
returntocorpfound prompt() call; should this be in production code?
returntocorpCreating and using a large number of zlib objects simultaneously can cause significant memory fragmentation. It is strongly recommended that the results of compression operations be cached or made synchronous to avoid duplication of effort.
returntocorp`$X` is assigned twice; the first assignment is useless
returntocorpDetected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex.
returntocorpInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
returntocorpInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
returntocorpA hardcoded username in plain text is identified. Store it properly in an environment variable.
returntocorpApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
returntocorpBy declaring a styled component inside the render method of a react component, you are dynamically creating a new component on every render. This means that React will have to discard and re-calculate that part of the DOM subtree on each subsequent render, instead of just calculating the difference of what changed between them. This leads to performance bottlenecks and unpredictable behavior.
returntocorpfindDOMNode is an escape hatch used to access the underlying DOM node. In most cases, use of this escape hatch is discouraged because it pierces the component abstraction.
returntocorpLegacy component lifecycle was detected - $METHOD.
returntocorpcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
returntocorpUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
returntocorpThe string method replaceAll is not supported in all versions of javascript, and is not supported by older browser versions. Consider using replace() with a regex as the first argument instead like mystring.replace(/bad/g, "good") instead of mystring.replaceAll("bad", "good") (https://discourse.threejs.org/t/replaceall-is-not-a-function/14585)
ajinabrahamFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.
returntocorpUser controlled data was found to enter a dynamic execution of JavaScript. This can lead to Remote Code Injection. Where possible do not dynamically execute user-input in functions such as eval(...).
returntocorpfound confirm() call; should this be in production code?
returntocorpTLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpPrefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`
returntocorpUser data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.
returntocorpPossibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpThis rule is deprecated.
returntocorpDetected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load and run arbitrary code, or access arbitrary files.
returntocorpIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.
returntocorpPossibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpDetected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`
returntocorpDetected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
returntocorpThis template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).
returntocorpIf user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.
returntocorpUse of $window.location.href can lead to open-redirect if user input is used for redirection.
returntocorp$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.
returntocorpThe use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.