Security
html-in-template-string
html-in-template-string
This template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection
detect-eval-with-expression
detect-eval-with-expression
Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
detect-insecure-websocket
detect-insecure-websocket
Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
detect-no-csrf-before-method-override
detect-no-csrf-before-method-override
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control
detect-disable-mustache-escape
detect-disable-mustache-escape
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection
spawn-git-clone
spawn-git-clone
Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone ‘ext::sh -c whoami% >&2’ will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
detect-buffer-noassert
detect-buffer-noassert
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
detect-pseudoRandomBytes
detect-pseudoRandomBytes
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures
insecure-object-assign
insecure-object-assign
Depending on the context, user control data in Object.assign can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control
detect-child-process
detect-child-process
Detected calls to child_process from a function argument $FUNC. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection