tainted-eval
eval()
function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval()
. Ensure evaluated content is not definable by external sources.tainted-html-response
knex-sqli
$EVENT
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: knex.raw('SELECT $1 from table', [userinput])
tainted-sql-string
tainted-html-string
mysql-sqli
$EVENT
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: connection.query('SELECT $1 from table', [userinput])
vm-runincontext-injection
vm
module enables compiling and running code within V8 Virtual Machine contexts. The vm
module is not a security mechanism. Do not use it to run untrusted code. If code passed to vm
functions is controlled by user input it could result in command injection. Do not let user input in vm
functions.dynamodb-request-object
$EVENT
object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from $EVENT
directly to DynamoDB client.detect-child-process
sequelize-sqli
$EVENT
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });
pg-sqli
$EVENT
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: connection.query('SELECT $1 from table', [userinput])