#typescript
Rulesets (20)
r2cDefault ruleset for JavaScript, curated by r2c.
Vasilii ErmilovMost common clientside JavaScript XSS vulnerabilities
r2cDefault ruleset for TypeScript, curated by r2c.
r2cReact security rules.
r2cRules for detecting secrets checked into version control
r2celectron desktop app
r2cDefault ruleset for Express.js, written by r2c.
eslint rules in Gitlab SAST, written by Gitlab, ajinabraham, and r2c
Vasilii ErmilovInsecure usage of most popular headless browser APIs
A ruleset of javascript and typescript rules made for OWASP Juice Shop.
r2cNextjs security rules.
r2cDefault ruleset for Node.js, curated by r2c.
r2cReact rules which contain best practices and general code-smells, should not be run in CI/CD.
r2cReact rules available to team tier customers, this rule-pack would be the most recommended due to higher accuracy of sources.
Rules (268)
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpMake sure that unverified user data can not reach vm.runInNewContext.
returntocorpMake sure that unverified user data can not reach vm.compileFunction.
returntocorpMake sure that unverified user data can not reach vm instance.
returntocorp`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.
returntocorpfound alert() call; should this be in production code?
returntocorpfound debugger call; should this be in production code?
returntocorpfound prompt() call; should this be in production code?
returntocorpCreating and using a large number of zlib objects simultaneously can cause significant memory fragmentation. It is strongly recommended that the results of compression operations be cached or made synchronous to avoid duplication of effort.
returntocorp`$X` is assigned twice; the first assignment is useless
returntocorpDetected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex.
returntocorpThe output is not sanitized when calling with SecurityContext.NONE.
returntocorpBy declaring a styled component inside the render method of a react component, you are dynamically creating a new component on every render. This means that React will have to discard and re-calculate that part of the DOM subtree on each subsequent render, instead of just calculating the difference of what changed between them. This leads to performance bottlenecks and unpredictable behavior.
returntocorpfindDOMNode is an escape hatch used to access the underlying DOM node. In most cases, use of this escape hatch is discouraged because it pierces the component abstraction.
returntocorpLegacy component lifecycle was detected - $METHOD.
returntocorpThe string method replaceAll is not supported in all versions of javascript, and is not supported by older browser versions. Consider using replace() with a regex as the first argument instead like mystring.replace(/bad/g, "good") instead of mystring.replaceAll("bad", "good") (https://discourse.threejs.org/t/replaceall-is-not-a-function/14585)
returntocorpfound confirm() call; should this be in production code?
returntocorpTLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpAllowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.
returntocorpDetected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`
returntocorpThe `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.
returntocorpThe application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.
returntocorpA CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.
returntocorpDetected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.
returntocorpBracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.
returntocorpUser data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.
returntocorpBy letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.
returntocorpPossibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpThis rule is deprecated.
returntocorpDetected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load and run arbitrary code, or access arbitrary files.
returntocorpPossibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpDetected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`
returntocorpDetected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
returntocorpThis template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).
returntocorpIf user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.
returntocorpAdd "encryption: $Y.BucketEncryption.KMS_MANAGED" or "encryption: $Y.BucketEncryption.S3_MANAGED" to the bucket props for Bucket construct $X
returntocorpUse of $window.location.href can lead to open-redirect if user input is used for redirection.
returntocorp$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.
returntocorpThe use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.
returntocorpPotential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()
returntocorpDetected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=<script>alert(document.cookie)</script> which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.
returntocorpDetected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
returntocorpUser controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpUser controlled data in a `$EL.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpNo validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).
returntocorpthis rule has been deprecated.
returntocorpUser controlled data in a HTML string may result in XSS
returntocorpThe target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.
returntocorpIf unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpDetected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.
returntocorpNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
returntocorpPossible writing outside of the destination, make sure that the target path is nested in the intended destination
returntocorpXml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpIt looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.
returntocorpIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpDetected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.
returntocorpThe Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'.
returntocorpThe object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
returntocorpIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpMake sure that unverified user data can not reach `sandbox`.
returntocorpMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpUser controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
returntocorpThe object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpDetected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
returntocorpUser controlled data in a jQuery's `.$METHOD(...)` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpUser controlled data in a `$(...)` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpJQuery's `html` function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider `text` instead. Otherwise, use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.
returntocorpDetected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
returntocorpDetected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.
returntocorpThis rule is deprecated.
returntocorpThis rule has been deprecated. It duplicates `javascript/sequelize/security/audit/sequelize-raw-query` rule.
returntocorpFound '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.
returntocorpDetected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query('SELECT $1 from table', [userinput])`
returntocorpCannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data.
returntocorpDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
returntocorpMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
returntocorpDetected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.
returntocorpDetected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
returntocorpThis rule is deprecated.
returntocorpDetected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
returntocorpGit allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.
returntocorpIf unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpIf unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpRemote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
returntocorpIf unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpRemote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
returntocorpIf unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpMake sure that unverified user data can not reach `sandbox`.
returntocorpUse of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
returntocorpIf TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set "ssl: true" or define settings "ssl: {...}"
returntocorpAvoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. Data replacement or data binding should be used. See https://sequelize.org/master/manual/raw-queries.html
returntocorpSet "rejectUnauthorized" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. "rejectUnauthorized" option must be alway set to True (default value). With self -signed certificate or custom CA, use "ca" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
returntocorp`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.
returntocorpIf unverified user data can reach the `exec` method it can result in Remote Code Execution
returntocorpPotential arbitrary code execution, piped to eval
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpIf unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpthis rule has been deprecated.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
returntocorpX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
returntocorpUntrusted user input in {url: ...} can result in Open Redirect vulnerability.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpProperty decoded from JWT token without verifying and cannot be trustworthy.
returntocorpStoring JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.
returntocorpThis rule has been deprecated
returntocorpThis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpUnencrypted request over HTTP detected.
returntocorpOverwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`
returntocorpPrefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.
returntocorpDetected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.
returntocorpThe `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.
returntocorpDetected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.
returntocorpDetected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.
returntocorpDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
returntocorpDetected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.
returntocorpThe application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
returntocorpBy letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.
returntocorpMake sure that unverified user data can not reach `$VM`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpUser controlled data in a HTML string may result in XSS
returntocorpDetected that function argument `$ARG` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.
returntocorpDetected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
returntocorpDetected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
returntocorpCopying a prop into state in React -- this is bad practice as all updates to it are ignored. Instead, read props directly in your component and avoid copying props into state.
returntocorpRegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Denial of Service (DoS) within your application as RegExP which blocks the main thread.
returntocorp$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.
returntocorpDon’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.
returntocorpDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
returntocorpDefault session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.
returntocorpDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
returntocorpDefault session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.
returntocorpIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpUse of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.
returntocorpUse of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.
returntocorpThe application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.
returntocorpDirectory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
returntocorpThe libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpThe following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().
returntocorpDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
returntocorpMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
returntocorpUser data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpDetected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
returntocorpIf an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpDetected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
returntocorpDetected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpThe application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.
returntocorpDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
Insufficient permissions to view rule definition Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security