#ts

Rulesets (0)

Rules (44)

trailofbits.javascript.apollo-graphql.v3-csrf-prevention.v3-csrf-prevention

trailofbits

The Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks.

trailofbits.javascript.apollo-graphql.use-of-graphql-upload.use-of-graphql-upload

trailofbits

The Apollo GraphQL server is using the graphql-upload library. This library allows file uploads using POSTs with content-type: multipart/form-data, which can enable to CSRF attacks. Ensure that you are enabling CSRF protection if you really need to use graphql-upload .

trailofbits.javascript.apollo-graphql.v3-cors-audit.v3-potentially-bad-cors

trailofbits

The Apollo GraphQL server is setup with a CORS policy that does not deny all origins. Carefully review the origins to see if any of them are incorrectly setup (third-party websites, bad regexes, functions that reflect every origin, etc.).

trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-no-cors

trailofbits

The Apollo GraphQL server lacks a CORS policy. By default, the server uses the Access-Control-Allow-Origin HTTP header with the wildcard value (*).

trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-bad-cors

trailofbits

The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws.

trailofbits.javascript.apollo-graphql.v3-cors.v3-no-cors

trailofbits

The Apollo GraphQL server lacks a CORS policy. By default, the batteries-included apollo-server package serves the Access-Control-Allow-Origin HTTP header with the wildcard value (*).

trailofbits.javascript.apollo-graphql.v3-cors.v3-bad-cors

trailofbits

The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws.

typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl

semgrep

Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property "enforceSSL" should be set to true

typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue

semgrep

Queue $X is missing encryption at rest. Add "encryption: $Y.QueueEncryption.KMS" or "encryption: $Y.QueueEncryption.KMS_MANAGED" to the queue props to enable encryption at rest for the queue.

typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod

semgrep

Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.

typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public

semgrep

CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.

typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard

semgrep

Unescaped '.' character in CORS domain regex $CORS: $PATTERN