CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
        • Doctrine
        • Lang
        • Laravel
          • Security
          • Security
        • Secrets
        • Symfony
        • Wordpress-plugins
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Laravel

    Security

    laravel-unsafe-validator

    Found a request argument passed to an ignore() definition in a Rule constraint. This can lead to SQL injection.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    laravel-cookie-long-timeout

    Found a configuration file where the lifetime attribute is over 30 minutes.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
    OWASP:
    - A05:2021 - Security Misconfiguration

    laravel-cookie-same-site

    Found a configuration file where the same_site attribute is not set to ‘lax’ or ‘strict’. Setting ‘same_site’ to ‘lax’ or ‘strict’ restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-1275: Sensitive Cookie with Improper SameSite Attribute
    OWASP:
    - A01:2021 - Broken Access Control

    laravel-cookie-null-domain

    Found a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    laravel-dangerous-model-construction

    Setting $guarded to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent’s safe-by-default mass assignment protections.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
    OWASP:
    - A08:2021 - Software and Data Integrity Failures

    laravel-active-debug-code

    Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-489: Active Debug Code
    OWASP:
    - A05:2021 - Security Misconfiguration

    laravel-sql-injection

    Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    laravel-blade-form-missing-csrf

    Detected a form executing a state-changing HTTP method $METHOD to route definition $...ROUTE without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-352: Cross-Site Request Forgery (CSRF)
    OWASP:
    - A01:2021 - Broken Access Control

    laravel-api-route-sql-injection

    HTTP method [METHOD]toLaravelrouteMETHOD] to Laravel route METHOD]toLaravelrouteROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    laravel-cookie-http-only

    Found a configuration file where the HttpOnly attribute is not set to true. Setting http_only to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the ‘http_only’ like so: http_only => true
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
    OWASP:
    - A05:2021 - Security Misconfiguration

    laravel-cookie-secure-set

    Found a configuration file where the secure attribute is not set to ‘true’. Setting ‘secure’ to ‘true’ prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
    OWASP:
    - A05:2021 - Security Misconfiguration
    Xml external entities unsafe parser flagsLaravel code injection
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.