CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • GitHub Enterprise
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
      • Doctrine
      • Lang
      • Laravel
        • Security
        • Security
      • Secrets
      • Symfony
      • Wordpress-plugins
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Laravel

Security

laravel-unsafe-validator

Found a request argument passed to an ignore() definition in a Rule constraint. This can lead to SQL injection.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

laravel-cookie-long-timeout

Found a configuration file where the lifetime attribute is over 30 minutes.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP:
- A05:2021 - Security Misconfiguration

laravel-cookie-same-site

Found a configuration file where the same_site attribute is not set to ‘lax’ or ‘strict’. Setting ‘same_site’ to ‘lax’ or ‘strict’ restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP:
- A01:2021 - Broken Access Control

laravel-cookie-null-domain

Found a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

laravel-dangerous-model-construction

Setting $guarded to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent’s safe-by-default mass assignment protections.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures

laravel-active-debug-code

Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration

laravel-sql-injection

Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

laravel-blade-form-missing-csrf

Detected a form executing a state-changing HTTP method $METHOD to route definition $...ROUTE without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control

laravel-api-route-sql-injection

HTTP method [METHOD]toLaravelrouteMETHOD] to Laravel route METHOD]toLaravelrouteROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

laravel-cookie-http-only

Found a configuration file where the HttpOnly attribute is not set to true. Setting http_only to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the ‘http_only’ like so: http_only => true
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP:
- A05:2021 - Security Misconfiguration

laravel-cookie-secure-set

Found a configuration file where the secure attribute is not set to ‘true’. Setting ‘secure’ to ‘true’ prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP:
- A05:2021 - Security Misconfiguration
Xml external entities unsafe parser flagsLaravel code injection
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.