diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json b/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json index c291f76ffd..481926892c 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json @@ -16,15912 +16,16 @@ "build_flag": false, "checkrule_set": [ { - "real_name": "insecure-use-printf-fn", - "display_name": "InsecureUsePrintfFn", - "severity": "warning", - "category": "security", - "rule_title": "insecure use printf fn", - "description": "Avoid using user-controlled format strings passed into 'sprintf', 'printf' and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "insecure-use-strcat-fn", - "display_name": "InsecureUseStrcatFn", - "severity": "warning", - "category": "security", - "rule_title": "insecure use strcat fn", - "description": "Finding triggers whenever there is a strcat or strncat used. This is an issue because strcat or strncat can lead to buffer overflow vulns. Fix this by using strcat_s instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "insecure-use-strtok-fn", - "display_name": "InsecureUseStrtokFn", - "severity": "warning", - "category": "security", - "rule_title": "insecure use strtok fn", - "description": "Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "info-leak-on-non-formated-string", - "display_name": "InfoLeakOnNonFormatedString", - "severity": "warning", - "category": "security", - "rule_title": "info leak on non formated string", - "description": "Use %s, %d, %c... to format your variables, otherwise this could leak information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "double-free", - "display_name": "DoubleFree", - "severity": "error", - "category": "security", - "rule_title": "double free", - "description": "Variable '$VAR' was freed twice. This can lead to undefined behavior.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "insecure-use-memset", - "display_name": "InsecureUseMemset", - "severity": "warning", - "category": "security", - "rule_title": "insecure use memset", - "description": "Using memset and then deleting that data can cause sensitive information to still be in the buffer. Use **memset_s()** instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "insecure-use-string-copy-fn", - "display_name": "InsecureUseStringCopyFn", - "severity": "warning", - "category": "security", - "rule_title": "insecure use string copy fn", - "description": "Finding triggers whenever there is a strcpy or strncpy used. This is an issue because strcpy does not affirm the size of the destination array and strncpy will not automatically NULL-terminate strings. This can lead to buffer overflows, which can cause program crashes and potentially let an attacker inject code in the program. Fix this by using strcpy_s instead (although note that strcpy_s is an optional part of the C11 standard, and so may not be available).\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "random-fd-exhaustion", - "display_name": "RandomFdExhaustion", - "severity": "warning", - "category": "security", - "rule_title": "random fd exhaustion", - "description": "Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "insecure-use-scanf-fn", - "display_name": "InsecureUseScanfFn", - "severity": "warning", - "category": "security", - "rule_title": "insecure use scanf fn", - "description": "Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "insecure-use-gets-fn", - "display_name": "InsecureUseGetsFn", - "severity": "error", - "category": "security", - "rule_title": "insecure use gets fn", - "description": "Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "use-after-free", - "display_name": "UseAfterFree", - "severity": "warning", - "category": "security", - "rule_title": "use after free", - "description": "Variable '$VAR' was used after being freed. This can lead to undefined behavior.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "incorrect-use-ato-fn", - "display_name": "IncorrectUseAtoFn", - "severity": "warning", - "category": "correctness", - "rule_title": "incorrect use ato fn", - "description": "Avoid the 'ato*()' family of functions. Their use can lead to undefined behavior, integer overflows, and lack of appropriate error handling. Instead prefer the 'strtol*()' family of functions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "incorrect-use-sscanf-fn", - "display_name": "IncorrectUseSscanfFn", - "severity": "warning", - "category": "correctness", - "rule_title": "incorrect use sscanf fn", - "description": "Avoid 'sscanf()' for number conversions. Its use can lead to undefined behavior, slow processing, and integer overflows. Instead prefer the 'strto*()' family of functions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "double_goto", - "display_name": "Double_goto", - "severity": "warning", - "category": "correctness", - "rule_title": "double_goto", - "description": "The second goto statement will always be executed.\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "c-string-equality", - "display_name": "CStringEquality", - "severity": "error", - "category": "correctness", - "rule_title": "c string equality", - "description": "Using == on char* performs pointer comparison, use strcmp instead\n", - "rule_params": null, - "solution": null, - "languages": [ - "cpp" - ], - "labels": [] - }, - { - "real_name": "websocket-missing-origin-check", - "display_name": "WebsocketMissingOriginCheck", - "severity": "warning", - "category": "security", - "rule_title": "websocket missing origin check", - "description": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "session-cookie-missing-secure", - "display_name": "SessionCookieMissingSecure", - "severity": "warning", - "category": "security", - "rule_title": "session cookie missing secure", - "description": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "session-cookie-missing-httponly", - "display_name": "SessionCookieMissingHttponly", - "severity": "warning", - "category": "security", - "rule_title": "session cookie missing httponly", - "description": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "gorm-dangerous-method-usage", - "display_name": "GormDangerousMethodUsage", - "severity": "warning", - "category": "security", - "rule_title": "gorm dangerous method usage", - "description": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach).\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "grpc-client-insecure-connection", - "display_name": "GrpcClientInsecureConnection", - "severity": "error", - "category": "security", - "rule_title": "grpc client insecure connection", - "description": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "grpc-server-insecure-connection", - "display_name": "GrpcServerInsecureConnection", - "severity": "error", - "category": "security", - "rule_title": "grpc server insecure connection", - "description": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "go-ssti", - "display_name": "GoSsti", - "severity": "error", - "category": "security", - "rule_title": "go ssti", - "description": "A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. When using \"html/template\" always check that user inputs are validated and sanitized before included within the template.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "go-insecure-templates", - "display_name": "GoInsecureTemplates", - "severity": "warning", - "category": "security", - "rule_title": "go insecure templates", - "description": "usage of insecure template types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "tainted-sql-string", - "display_name": "TaintedSqlString", - "severity": "error", - "category": "security", - "rule_title": "tainted sql string", - "description": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java", - "js", - "php", - "python", - "ruby" - ], - "labels": [] - }, - { - "real_name": "database-sqli", - "display_name": "DatabaseSqli", - "severity": "warning", - "category": "security", - "rule_title": "database sqli", - "description": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "hardcoded-jwt-key", - "display_name": "HardcodedJwtKey", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded jwt key", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "jwt-go-none-algorithm", - "display_name": "JwtGoNoneAlgorithm", - "severity": "error", - "category": "security", - "rule_title": "jwt go none algorithm", - "description": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "jwt-go-parse-unverified", - "display_name": "JwtGoParseUnverified", - "severity": "warning", - "category": "security", - "rule_title": "jwt go parse unverified", - "description": "Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "potential-dos-via-decompression-bomb", - "display_name": "PotentialDosViaDecompressionBomb", - "severity": "warning", - "category": "security", - "rule_title": "potential dos via decompression bomb", - "description": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. Refer to https://bomb.codes/ to learn more about this attack and other ways to mitigate it.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "path-traversal-inside-zip-extraction", - "display_name": "PathTraversalInsideZipExtraction", - "severity": "warning", - "category": "security", - "rule_title": "path traversal inside zip extraction", - "description": "File traversal when extracting zip archive\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "filepath-clean-misuse", - "display_name": "FilepathCleanMisuse", - "severity": "error", - "category": "security", - "rule_title": "filepath clean misuse", - "description": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "bad-tmp-file-creation", - "display_name": "BadTmpFileCreation", - "severity": "warning", - "category": "security", - "rule_title": "bad tmp file creation", - "description": "File creation in shared tmp directory without using ioutil.Tempfile\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "unsafe-reflect-by-name", - "display_name": "UnsafeReflectByName", - "severity": "warning", - "category": "security", - "rule_title": "unsafe reflect by name", - "description": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "dangerous-exec-command", - "display_name": "DangerousExecCommand", - "severity": "error", - "category": "security", - "rule_title": "dangerous exec command", - "description": "Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "dangerous-command-write", - "display_name": "DangerousCommandWrite", - "severity": "error", - "category": "security", - "rule_title": "dangerous command write", - "description": "Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "use-of-unsafe-block", - "display_name": "UseOfUnsafeBlock", - "severity": "warning", - "category": "security", - "rule_title": "use of unsafe block", - "description": "Using the unsafe package in Go gives you low-level memory management and many of the strengths of the C language, but also steps around the type safety of Go and can lead to buffer overflows and possible arbitrary code execution by an attacker. Only use this package if you absolutely know what you're doing.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "md5-used-as-password", - "display_name": "Md5UsedAsPassword", - "severity": "warning", - "category": "security", - "rule_title": "md5 used as password", - "description": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java", - "js", - "php", - "python", - "ruby" - ], - "labels": [] - }, - { - "real_name": "reflect-makefunc", - "display_name": "ReflectMakefunc", - "severity": "error", - "category": "security", - "rule_title": "reflect makefunc", - "description": "'reflect.MakeFunc' detected. This will sidestep protections that are normally afforded by Go's type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "dangerous-exec-cmd", - "display_name": "DangerousExecCmd", - "severity": "error", - "category": "security", - "rule_title": "dangerous exec cmd", - "description": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "dangerous-syscall-exec", - "display_name": "DangerousSyscallExec", - "severity": "error", - "category": "security", - "rule_title": "dangerous syscall exec", - "description": "Detected non-static command inside Exec. Audit the input to 'syscall.Exec'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "string-formatted-query", - "display_name": "StringFormattedQuery", - "severity": "warning", - "category": "security", - "rule_title": "string formatted query", - "description": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "tls-with-insecure-cipher", - "display_name": "TlsWithInsecureCipher", - "severity": "warning", - "category": "security", - "rule_title": "tls with insecure cipher", - "description": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "avoid-ssh-insecure-ignore-host-key", - "display_name": "AvoidSshInsecureIgnoreHostKey", - "severity": "warning", - "category": "security", - "rule_title": "avoid ssh insecure ignore host key", - "description": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "use-of-weak-rsa-key", - "display_name": "UseOfWeakRsaKey", - "severity": "warning", - "category": "security", - "rule_title": "use of weak rsa key", - "description": "RSA keys should be at least 2048 bits\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java" - ], - "labels": [] - }, - { - "real_name": "ssl-v3-is-insecure", - "display_name": "SslV3IsInsecure", - "severity": "warning", - "category": "security", - "rule_title": "ssl v3 is insecure", - "description": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "use-of-md5", - "display_name": "UseOfMd5", - "severity": "warning", - "category": "security", - "rule_title": "use of md5", - "description": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java" - ], - "labels": [] - }, - { - "real_name": "use-of-sha1", - "display_name": "UseOfSha1", - "severity": "warning", - "category": "security", - "rule_title": "use of sha1", - "description": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java" - ], - "labels": [] - }, - { - "real_name": "use-of-DES", - "display_name": "UseOfDes", - "severity": "warning", - "category": "security", - "rule_title": "use of DES", - "description": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "use-of-rc4", - "display_name": "UseOfRc4", - "severity": "warning", - "category": "security", - "rule_title": "use of rc4", - "description": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "missing-ssl-minversion", - "display_name": "MissingSslMinversion", - "severity": "warning", - "category": "security", - "rule_title": "missing ssl minversion", - "description": "`MinVersion` is missing from this TLS configuration. The default value is TLS1.0 which is considered insecure. Explicitly set the `MinVersion` to a secure version of TLS, such as `VersionTLS13`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "insecure-module-used", - "display_name": "InsecureModuleUsed", - "severity": "warning", - "category": "security", - "rule_title": "insecure module used", - "description": "Detected use of an insecure cryptographic hashing method. This method is known to be broken and easily compromised. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "math-random-used", - "display_name": "MathRandomUsed", - "severity": "warning", - "category": "security", - "rule_title": "math random used", - "description": "Do not use `math/rand`. Use `crypto/rand` instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "wip-xss-using-responsewriter-and-printf", - "display_name": "WipXssUsingResponsewriterAndPrintf", - "severity": "warning", - "category": "security", - "rule_title": "wip xss using responsewriter and printf", - "description": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "unescaped-data-in-js", - "display_name": "UnescapedDataInJs", - "severity": "warning", - "category": "security", - "rule_title": "unescaped data in js", - "description": "Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "use-tls", - "display_name": "UseTls", - "severity": "warning", - "category": "security", - "rule_title": "use tls", - "description": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "pprof-debug-exposure", - "display_name": "PprofDebugExposure", - "severity": "warning", - "category": "security", - "rule_title": "pprof debug exposure", - "description": "The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "fs-directory-listing", - "display_name": "FsDirectoryListing", - "severity": "warning", - "category": "security", - "rule_title": "fs directory listing", - "description": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "formatted-template-string", - "display_name": "FormattedTemplateString", - "severity": "warning", - "category": "security", - "rule_title": "formatted template string", - "description": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "cookie-missing-secure", - "display_name": "CookieMissingSecure", - "severity": "warning", - "category": "security", - "rule_title": "cookie missing secure", - "description": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "dynamic-httptrace-clienttrace", - "display_name": "DynamicHttptraceClienttrace", - "severity": "warning", - "category": "security", - "rule_title": "dynamic httptrace clienttrace", - "description": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "unescaped-data-in-htmlattr", - "display_name": "UnescapedDataInHtmlattr", - "severity": "warning", - "category": "security", - "rule_title": "unescaped data in htmlattr", - "description": "Found a formatted template string passed to 'template. HTMLAttr()'. 'template.HTMLAttr()' does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "cookie-missing-httponly", - "display_name": "CookieMissingHttponly", - "severity": "warning", - "category": "security", - "rule_title": "cookie missing httponly", - "description": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java" - ], - "labels": [] - }, - { - "real_name": "unescaped-data-in-url", - "display_name": "UnescapedDataInUrl", - "severity": "warning", - "category": "security", - "rule_title": "unescaped data in url", - "description": "Found a formatted template string passed to 'template.URL()'. 'template.URL()' does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "avoid-bind-to-all-interfaces", - "display_name": "AvoidBindToAllInterfaces", - "severity": "warning", - "category": "security", - "rule_title": "avoid bind to all interfaces", - "description": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "python" - ], - "labels": [] - }, - { - "real_name": "parsing-external-entities-enabled", - "display_name": "ParsingExternalEntitiesEnabled", - "severity": "warning", - "category": "security", - "rule_title": "parsing external entities enabled", - "description": "Detected enabling of \"XMLParseNoEnt\", which allows parsing of external entities and can lead to XXE if user controlled data is parsed by the library. Instead, do not enable \"XMLParseNoEnt\" or be sure to adequately sanitize user-controlled data when it is being parsed by this library.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "pgx-sqli", - "display_name": "PgxSqli", - "severity": "error", - "category": "security", - "rule_title": "pgx sqli", - "description": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "pg-sqli", - "display_name": "PgSqli", - "severity": "error", - "category": "security", - "rule_title": "pg sqli", - "description": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "js", - "ruby" - ], - "labels": [] - }, - { - "real_name": "pg-orm-sqli", - "display_name": "PgOrmSqli", - "severity": "error", - "category": "security", - "rule_title": "pg orm sqli", - "description": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "gosql-sqli", - "display_name": "GosqlSqli", - "severity": "error", - "category": "security", - "rule_title": "gosql sqli", - "description": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "no-interpolation-in-tag", - "display_name": "NoInterpolationInTag", - "severity": "warning", - "category": "security", - "rule_title": "no interpolation in tag", - "description": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\n{\"include\": [\"*.html\", \"*.thtml\", \"*.gohtml\", \"*.tmpl\", \"*.tpl\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "no-direct-write-to-responsewriter", - "display_name": "NoDirectWriteToResponsewriter", - "severity": "warning", - "category": "security", - "rule_title": "no direct write to responsewriter", - "description": "Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "import-text-template", - "display_name": "ImportTextTemplate", - "severity": "warning", - "category": "security", - "rule_title": "import text template", - "description": "'text/template' does not escape HTML content. If you need to escape HTML content, use 'html/template' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "no-interpolation-js-template-string", - "display_name": "NoInterpolationJsTemplateString", - "severity": "warning", - "category": "security", - "rule_title": "no interpolation js template string", - "description": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\n{\"include\": [\"*.html\", \"*.thtml\", \"*.gohtml\", \"*.tmpl\", \"*.tpl\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "no-io-writestring-to-responsewriter", - "display_name": "NoIoWritestringToResponsewriter", - "severity": "warning", - "category": "security", - "rule_title": "no io writestring to responsewriter", - "description": "Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "no-printf-in-responsewriter", - "display_name": "NoPrintfInResponsewriter", - "severity": "warning", - "category": "security", - "rule_title": "no printf in responsewriter", - "description": "Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "unsafe-template-type", - "display_name": "UnsafeTemplateType", - "severity": "warning", - "category": "security", - "rule_title": "unsafe template type", - "description": "Semgrep could not determine that the argument to 'template.HTML()' is a constant. 'template.HTML()' and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use 'template.Execute()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "no-fprintf-to-responsewriter", - "display_name": "NoFprintfToResponsewriter", - "severity": "warning", - "category": "security", - "rule_title": "no fprintf to responsewriter", - "description": "Detected 'Fprintf' or similar writing to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "tainted-url-host", - "display_name": "TaintedUrlHost", - "severity": "warning", - "category": "security", - "rule_title": "tainted url host", - "description": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "java", - "php", - "python", - "ruby" - ], - "labels": [] - }, - { - "real_name": "raw-html-format", - "display_name": "RawHtmlFormat", - "severity": "warning", - "category": "security", - "rule_title": "raw html format", - "description": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "js", - "python", - "ruby" - ], - "labels": [] - }, - { - "real_name": "useless-if-conditional", - "display_name": "UselessIfConditional", - "severity": "warning", - "category": "correctness", - "rule_title": "useless if conditional", - "description": "Detected an if block that checks for the same condition on both branches (`$X`). The second condition check is useless as it is the same as the first, and therefore can be removed from the code,\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "python" - ], - "labels": [] - }, - { - "real_name": "useless-if-body", - "display_name": "UselessIfBody", - "severity": "warning", - "category": "correctness", - "rule_title": "useless if body", - "description": "Detected identical statements in the if body and the else body of an if-statement. This will lead to the same code being executed no matter what the if-expression evaluates to. Instead, remove the if statement.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "python" - ], - "labels": [] - }, - { - "real_name": "exported_loop_pointer", - "display_name": "Exported_loop_pointer", - "severity": "warning", - "category": "correctness", - "rule_title": "exported_loop_pointer", - "description": "`$VALUE` is a loop pointer that may be exported from the loop. This pointer is shared between loop iterations, so the exported reference will always point to the last loop value, which is likely unintentional. To fix, copy the pointer to a new pointer within the loop.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "use-filepath-join", - "display_name": "UseFilepathJoin", - "severity": "warning", - "category": "correctness", - "rule_title": "use filepath join", - "description": "`path.Join(...)` always joins using a forward slash. This may cause issues on Windows or other systems using a different delimiter. Use `filepath.Join(...)` instead which uses OS-specific path separators.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "eqeq-is-bad", - "display_name": "EqeqIsBad", - "severity": "error", - "category": "correctness", - "rule_title": "eqeq is bad", - "description": "Detected useless comparison operation `$X == $X` or `$X != $X`. This will always return 'True' or 'False' and therefore is not necessary. Instead, remove this comparison operation or use another comparison expression that is not deterministic.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go", - "js" - ], - "labels": [] - }, - { - "real_name": "hardcoded-eq-true-or-false", - "display_name": "HardcodedEqTrueOrFalse", - "severity": "error", - "category": "correctness", - "rule_title": "hardcoded eq true or false", - "description": "Detected useless if statement. 'if (True)' and 'if (False)' always result in the same behavior, and therefore is not necessary in the code. Remove the 'if (False)' expression completely or just the 'if (True)' comparison depending on which expression is in the code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "incorrect-default-permission", - "display_name": "IncorrectDefaultPermission", - "severity": "warning", - "category": "correctness", - "rule_title": "incorrect default permission", - "description": "Detected file permissions that are set to more than `0600` (user/owner can read and write). Setting file permissions to higher than `0600` is most likely unnecessary and violates the principle of least privilege. Instead, set permissions to be `0600` or less for os.Chmod, os.Mkdir, os.OpenFile, os.MkdirAll, and ioutil.WriteFile\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "integer-overflow-int16", - "display_name": "IntegerOverflowInt16", - "severity": "warning", - "category": "correctness", - "rule_title": "integer overflow int16", - "description": "Detected conversion of the result of a strconv.Atoi command to an int16. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "integer-overflow-int32", - "display_name": "IntegerOverflowInt32", - "severity": "warning", - "category": "correctness", - "rule_title": "integer overflow int32", - "description": "Detected conversion of the result of a strconv.Atoi command to an int32. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "channel-guarded-with-mutex", - "display_name": "ChannelGuardedWithMutex", - "severity": "warning", - "category": "correctness", - "rule_title": "channel guarded with mutex", - "description": "Detected a channel guarded with a mutex. Channels already have an internal mutex, so this is unnecessary. Remove the mutex. See https://hackmongo.com/page/golang-antipatterns/#guarded-channel for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "hidden-goroutine", - "display_name": "HiddenGoroutine", - "severity": "warning", - "category": "correctness", - "rule_title": "hidden goroutine", - "description": "Detected a hidden goroutine. Function invocations are expected to synchronous, and this function will execute asynchronously because all it does is call a goroutine. Instead, remove the internal goroutine and call the function using 'go'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "dangerous-execution", - "display_name": "DangerousExecution", - "severity": "error", - "category": "security", - "rule_title": "dangerous execution", - "description": "Detected non-static script inside otto VM. Audit the input to 'VM.Run'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "go" - ], - "labels": [] - }, - { - "real_name": "find-sql-string-concatenation", - "display_name": "FindSqlStringConcatenation", - "severity": "error", - "category": "security", - "rule_title": "find sql string concatenation", - "description": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "seam-log-injection", - "display_name": "SeamLogInjection", - "severity": "error", - "category": "security", - "rule_title": "seam log injection", - "description": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "jjwt-none-alg", - "display_name": "JjwtNoneAlg", - "severity": "error", - "category": "security", - "rule_title": "jjwt none alg", - "description": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "insecure-resteasy-deserialization", - "display_name": "InsecureResteasyDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "insecure resteasy deserialization", - "description": "When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "default-resteasy-provider-abuse", - "display_name": "DefaultResteasyProviderAbuse", - "severity": "warning", - "category": "security", - "rule_title": "default resteasy provider abuse", - "description": "When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "jax-rs-path-traversal", - "display_name": "JaxRsPathTraversal", - "severity": "warning", - "category": "security", - "rule_title": "jax rs path traversal", - "description": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "cookie-issecure-false", - "display_name": "CookieIssecureFalse", - "severity": "warning", - "category": "security", - "rule_title": "cookie issecure false", - "description": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-sqli", - "display_name": "TaintedSqli", - "severity": "warning", - "category": "security", - "rule_title": "tainted sqli", - "description": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "httpservlet-path-traversal", - "display_name": "HttpservletPathTraversal", - "severity": "error", - "category": "security", - "rule_title": "httpservlet path traversal", - "description": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "insecure-jms-deserialization", - "display_name": "InsecureJmsDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "insecure jms deserialization", - "description": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "xmlinputfactory-possible-xxe", - "display_name": "XmlinputfactoryPossibleXxe", - "severity": "warning", - "category": "security", - "rule_title": "xmlinputfactory possible xxe", - "description": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "do-privileged-use", - "display_name": "DoPrivilegedUse", - "severity": "warning", - "category": "security", - "rule_title": "do privileged use", - "description": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "xmlinputfactory-external-entities-enabled", - "display_name": "XmlinputfactoryExternalEntitiesEnabled", - "severity": "error", - "category": "security", - "rule_title": "xmlinputfactory external entities enabled", - "description": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "use-snakeyaml-constructor", - "display_name": "UseSnakeyamlConstructor", - "severity": "warning", - "category": "security", - "rule_title": "use snakeyaml constructor", - "description": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "servletresponse-writer-xss", - "display_name": "ServletresponseWriterXss", - "severity": "error", - "category": "security", - "rule_title": "servletresponse writer xss", - "description": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "unvalidated-redirect", - "display_name": "UnvalidatedRedirect", - "severity": "warning", - "category": "security", - "rule_title": "unvalidated redirect", - "description": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "formatted-sql-string", - "display_name": "FormattedSqlString", - "severity": "error", - "category": "security", - "rule_title": "formatted sql string", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "ldap-entry-poisoning", - "display_name": "LdapEntryPoisoning", - "severity": "warning", - "category": "security", - "rule_title": "ldap entry poisoning", - "description": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "insecure-smtp-connection", - "display_name": "InsecureSmtpConnection", - "severity": "warning", - "category": "security", - "rule_title": "insecure smtp connection", - "description": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "unsafe-reflection", - "display_name": "UnsafeReflection", - "severity": "warning", - "category": "security", - "rule_title": "unsafe reflection", - "description": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "overly-permissive-file-permission", - "display_name": "OverlyPermissiveFilePermission", - "severity": "warning", - "category": "security", - "rule_title": "overly permissive file permission", - "description": "It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "permissive-cors", - "display_name": "PermissiveCors", - "severity": "warning", - "category": "security", - "rule_title": "permissive cors", - "description": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-xpath-from-http-request", - "display_name": "TaintedXpathFromHttpRequest", - "severity": "warning", - "category": "security", - "rule_title": "tainted xpath from http request", - "description": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "cbc-padding-oracle", - "display_name": "CbcPaddingOracle", - "severity": "warning", - "category": "security", - "rule_title": "cbc padding oracle", - "description": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. Use 'AES/GCM/NoPadding' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "script-engine-injection", - "display_name": "ScriptEngineInjection", - "severity": "warning", - "category": "security", - "rule_title": "script engine injection", - "description": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "dangerous-groovy-shell", - "display_name": "DangerousGroovyShell", - "severity": "warning", - "category": "security", - "rule_title": "dangerous groovy shell", - "description": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "el-injection", - "display_name": "ElInjection", - "severity": "warning", - "category": "security", - "rule_title": "el injection", - "description": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "cookie-missing-secure-flag", - "display_name": "CookieMissingSecureFlag", - "severity": "warning", - "category": "security", - "rule_title": "cookie missing secure flag", - "description": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "crlf-injection-logs", - "display_name": "CrlfInjectionLogs", - "severity": "warning", - "category": "security", - "rule_title": "crlf injection logs", - "description": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "bad-hexa-conversion", - "display_name": "BadHexaConversion", - "severity": "warning", - "category": "security", - "rule_title": "bad hexa conversion", - "description": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "object-deserialization", - "display_name": "ObjectDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "object deserialization", - "description": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "url-rewriting", - "display_name": "UrlRewriting", - "severity": "warning", - "category": "security", - "rule_title": "url rewriting", - "description": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-ldapi-from-http-request", - "display_name": "TaintedLdapiFromHttpRequest", - "severity": "warning", - "category": "security", - "rule_title": "tainted ldapi from http request", - "description": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly santized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "anonymous-ldap-bind", - "display_name": "AnonymousLdapBind", - "severity": "warning", - "category": "security", - "rule_title": "anonymous ldap bind", - "description": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "http-response-splitting", - "display_name": "HttpResponseSplitting", - "severity": "info", - "category": "security", - "rule_title": "http response splitting", - "description": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "command-injection-process-builder", - "display_name": "CommandInjectionProcessBuilder", - "severity": "error", - "category": "security", - "rule_title": "command injection process builder", - "description": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "blowfish-insufficient-key-size", - "display_name": "BlowfishInsufficientKeySize", - "severity": "warning", - "category": "security", - "rule_title": "blowfish insufficient key size", - "description": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "ognl-injection", - "display_name": "OgnlInjection", - "severity": "warning", - "category": "security", - "rule_title": "ognl injection", - "description": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "xml-decoder", - "display_name": "XmlDecoder", - "severity": "warning", - "category": "security", - "rule_title": "xml decoder", - "description": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "command-injection-formatted-runtime-call", - "display_name": "CommandInjectionFormattedRuntimeCall", - "severity": "error", - "category": "security", - "rule_title": "command injection formatted runtime call", - "description": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "jdbc-sql-formatted-string", - "display_name": "JdbcSqlFormattedString", - "severity": "warning", - "category": "security", - "rule_title": "jdbc sql formatted string", - "description": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);'\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-session-from-http-request", - "display_name": "TaintedSessionFromHttpRequest", - "severity": "warning", - "category": "security", - "rule_title": "tainted session from http request", - "description": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "xssrequestwrapper-is-insecure", - "display_name": "XssrequestwrapperIsInsecure", - "severity": "warning", - "category": "security", - "rule_title": "xssrequestwrapper is insecure", - "description": "It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "ldap-injection", - "display_name": "LdapInjection", - "severity": "warning", - "category": "security", - "rule_title": "ldap injection", - "description": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "java-reverse-shell", - "display_name": "JavaReverseShell", - "severity": "warning", - "category": "security", - "rule_title": "java reverse shell", - "description": "Semgrep found potential reverse shell behavior\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-cmd-from-http-request", - "display_name": "TaintedCmdFromHttpRequest", - "severity": "error", - "category": "security", - "rule_title": "tainted cmd from http request", - "description": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "cookie-missing-samesite", - "display_name": "CookieMissingSamesite", - "severity": "warning", - "category": "security", - "rule_title": "cookie missing samesite", - "description": "Detected cookie without the SameSite attribute.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "weak-ssl-context", - "display_name": "WeakSslContext", - "severity": "warning", - "category": "security", - "rule_title": "weak ssl context", - "description": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "unencrypted-socket", - "display_name": "UnencryptedSocket", - "severity": "warning", - "category": "security", - "rule_title": "unencrypted socket", - "description": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "no-static-initialization-vector", - "display_name": "NoStaticInitializationVector", - "severity": "warning", - "category": "security", - "rule_title": "no static initialization vector", - "description": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "ecb-cipher", - "display_name": "EcbCipher", - "severity": "warning", - "category": "security", - "rule_title": "ecb cipher", - "description": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "rsa-no-padding", - "display_name": "RsaNoPadding", - "severity": "warning", - "category": "security", - "rule_title": "rsa no padding", - "description": "Using RSA without OAEP mode weakens the encryption.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "des-is-deprecated", - "display_name": "DesIsDeprecated", - "severity": "warning", - "category": "security", - "rule_title": "des is deprecated", - "description": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "desede-is-deprecated", - "display_name": "DesedeIsDeprecated", - "severity": "warning", - "category": "security", - "rule_title": "desede is deprecated", - "description": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "gcm-detection", - "display_name": "GcmDetection", - "severity": "info", - "category": "security", - "rule_title": "gcm detection", - "description": "GCM detected, please check that IV/nonce is not reused,an Initialization Vector (IV) is a nonce used to randomize the encryption,so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique.Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "gcm-nonce-reuse", - "display_name": "GcmNonceReuse", - "severity": "error", - "category": "security", - "rule_title": "gcm nonce reuse", - "description": "GCM IV/nonce is reused: encryption can be totally useless\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "weak-random", - "display_name": "WeakRandom", - "severity": "warning", - "category": "security", - "rule_title": "weak random", - "description": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "no-null-cipher", - "display_name": "NoNullCipher", - "severity": "warning", - "category": "security", - "rule_title": "no null cipher", - "description": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "insecure-hostname-verifier", - "display_name": "InsecureHostnameVerifier", - "severity": "warning", - "category": "security", - "rule_title": "insecure hostname verifier", - "description": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "avoid-implementing-custom-digests", - "display_name": "AvoidImplementingCustomDigests", - "severity": "warning", - "category": "security", - "rule_title": "avoid implementing custom digests", - "description": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "defaulthttpclient-is-deprecated", - "display_name": "DefaulthttpclientIsDeprecated", - "severity": "warning", - "category": "security", - "rule_title": "defaulthttpclient is deprecated", - "description": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "insecure-trust-manager", - "display_name": "InsecureTrustManager", - "severity": "warning", - "category": "security", - "rule_title": "insecure trust manager", - "description": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "documentbuilderfactory-external-general-entities-true", - "display_name": "DocumentbuilderfactoryExternalGeneralEntitiesTrue", - "severity": "error", - "category": "security", - "rule_title": "documentbuilderfactory external general entities true", - "description": "External entities are allowed for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "documentbuilderfactory-disallow-doctype-decl-missing", - "display_name": "DocumentbuilderfactoryDisallowDoctypeDeclMissing", - "severity": "error", - "category": "security", - "rule_title": "documentbuilderfactory disallow doctype decl missing", - "description": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "documentbuilderfactory-disallow-doctype-decl-false", - "display_name": "DocumentbuilderfactoryDisallowDoctypeDeclFalse", - "severity": "error", - "category": "security", - "rule_title": "documentbuilderfactory disallow doctype decl false", - "description": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "documentbuilderfactory-external-parameter-entities-true", - "display_name": "DocumentbuilderfactoryExternalParameterEntitiesTrue", - "severity": "error", - "category": "security", - "rule_title": "documentbuilderfactory external parameter entities true", - "description": "External entities are allowed for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "hibernate-sqli", - "display_name": "HibernateSqli", - "severity": "warning", - "category": "security", - "rule_title": "hibernate sqli", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "turbine-sqli", - "display_name": "TurbineSqli", - "severity": "warning", - "category": "security", - "rule_title": "turbine sqli", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "vertx-sqli", - "display_name": "VertxSqli", - "severity": "warning", - "category": "security", - "rule_title": "vertx sqli", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-sql-from-http-request", - "display_name": "TaintedSqlFromHttpRequest", - "severity": "warning", - "category": "security", - "rule_title": "tainted sql from http request", - "description": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "jdo-sqli", - "display_name": "JdoSqli", - "severity": "warning", - "category": "security", - "rule_title": "jdo sqli", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "jdbc-sqli", - "display_name": "JdbcSqli", - "severity": "warning", - "category": "security", - "rule_title": "jdbc sqli", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "jpa-sqli", - "display_name": "JpaSqli", - "severity": "warning", - "category": "security", - "rule_title": "jpa sqli", - "description": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "no-direct-response-writer", - "display_name": "NoDirectResponseWriter", - "severity": "warning", - "category": "security", - "rule_title": "no direct response writer", - "description": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "autoescape-disabled", - "display_name": "AutoescapeDisabled", - "severity": "warning", - "category": "security", - "rule_title": "autoescape disabled", - "description": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n{\"include\": [\"*.html\", \"*.xhtml\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "use-jstl-escaping", - "display_name": "UseJstlEscaping", - "severity": "warning", - "category": "security", - "rule_title": "use jstl escaping", - "description": "Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information.\n{\"include\": [\"*.jsp\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "use-escapexml", - "display_name": "UseEscapexml", - "severity": "warning", - "category": "security", - "rule_title": "use escapexml", - "description": "Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information.\n{\"include\": [\"*.jsp\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "no-scriptlets", - "display_name": "NoScriptlets", - "severity": "warning", - "category": "security", - "rule_title": "no scriptlets", - "description": "JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.\n{\"include\": [\"*.jsp\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "no-string-eqeq", - "display_name": "NoStringEqeq", - "severity": "warning", - "category": "correctness", - "rule_title": "no string eqeq", - "description": "Strings should not be compared with '=='. This is a reference comparison operator. Use '.equals()' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "hardcoded-conditional", - "display_name": "HardcodedConditional", - "severity": "error", - "category": "correctness", - "rule_title": "hardcoded conditional", - "description": "This if statement will always have the same behavior and is therefore unnecessary.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "eqeq", - "display_name": "Eqeq", - "severity": "error", - "category": "correctness", - "rule_title": "eqeq", - "description": "`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "assignment-comparison", - "display_name": "AssignmentComparison", - "severity": "error", - "category": "correctness", - "rule_title": "assignment comparison", - "description": "The value of `$X` is being ignored and will be used in the conditional test\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "manifest-usesCleartextTraffic-true", - "display_name": "ManifestUsescleartexttrafficTrue", - "severity": "info", - "category": "correctness", - "rule_title": "manifest usesCleartextTraffic true", - "description": "The Android manifest is configured to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. This flag is ignored on Android 7 (API 24) and above if a Network Security Config is present.\n{\"include\": [\"*.xml\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "manifest-usesCleartextTraffic-ignored-by-nsc", - "display_name": "ManifestUsescleartexttrafficIgnoredByNsc", - "severity": "info", - "category": "correctness", - "rule_title": "manifest usesCleartextTraffic ignored by nsc", - "description": "Manifest uses both `android:usesCleartextTraffic` and Network Security Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API 24) and above if a Network Security Config is present.\n{\"include\": [\"*.xml\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "java-jwt-none-alg", - "display_name": "JavaJwtNoneAlg", - "severity": "error", - "category": "security", - "rule_title": "java jwt none alg", - "description": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "java-jwt-hardcoded-secret", - "display_name": "JavaJwtHardcodedSecret", - "severity": "warning", - "category": "security", - "rule_title": "java jwt hardcoded secret", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "java-jwt-decode-without-verify", - "display_name": "JavaJwtDecodeWithoutVerify", - "severity": "warning", - "category": "security", - "rule_title": "java jwt decode without verify", - "description": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "log4j-message-lookup-injection", - "display_name": "Log4jMessageLookupInjection", - "severity": "warning", - "category": "security", - "rule_title": "log4j message lookup injection", - "description": "Possible Lookup injection into Log4j messages. Lookups provide a way to add values to the Log4j messages at arbitrary places. If the message parameter contains an attacker controlled string, the attacker could inject arbitrary lookups, for instance '${java:runtime}'. This could lead to information disclosure or even remote code execution if 'log4j2.formatMsgNoLookups' is enabled. This was enabled by default until version 2.15.0.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "server-dangerous-class-deserialization", - "display_name": "ServerDangerousClassDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "server dangerous class deserialization", - "description": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "server-dangerous-object-deserialization", - "display_name": "ServerDangerousObjectDeserialization", - "severity": "error", - "category": "security", - "rule_title": "server dangerous object deserialization", - "description": "Using an arbitrary object ('Object $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "unrestricted-request-mapping", - "display_name": "UnrestrictedRequestMapping", - "severity": "warning", - "category": "security", - "rule_title": "unrestricted request mapping", - "description": "Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "cve-2022-22965", - "display_name": "Cve202222965", - "severity": "warning", - "category": "security", - "rule_title": "cve 2022 22965", - "description": "Method $M potentially vulnerable to CVE-2022-22965 due to plain binding of a vulnerable POJO type.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "spring-jsp-eval", - "display_name": "SpringJspEval", - "severity": "warning", - "category": "security", - "rule_title": "spring jsp eval", - "description": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n{\"include\": [\"*.jsp\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "spel-injection", - "display_name": "SpelInjection", - "severity": "warning", - "category": "security", - "rule_title": "spel injection", - "description": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "spring-sqli", - "display_name": "SpringSqli", - "severity": "warning", - "category": "security", - "rule_title": "spring sqli", - "description": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "spring-unvalidated-redirect", - "display_name": "SpringUnvalidatedRedirect", - "severity": "warning", - "category": "security", - "rule_title": "spring unvalidated redirect", - "description": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "spring-csrf-disabled", - "display_name": "SpringCsrfDisabled", - "severity": "warning", - "category": "security", - "rule_title": "spring csrf disabled", - "description": "CSRF is disabled for this configuration. This is a security risk.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "spring-actuator-fully-enabled", - "display_name": "SpringActuatorFullyEnabled", - "severity": "warning", - "category": "security", - "rule_title": "spring actuator fully enabled", - "description": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.\n{\"include\": [\"*properties\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-system-command", - "display_name": "TaintedSystemCommand", - "severity": "error", - "category": "security", - "rule_title": "tainted system command", - "description": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-file-path", - "display_name": "TaintedFilePath", - "severity": "error", - "category": "security", - "rule_title": "tainted file path", - "description": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "tainted-html-string", - "display_name": "TaintedHtmlString", - "severity": "error", - "category": "security", - "rule_title": "tainted html string", - "description": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java", - "js", - "python" - ], - "labels": [] - }, - { - "real_name": "harden-dompurify-usage", - "display_name": "HardenDompurifyUsage", - "severity": "error", - "category": "security", - "rule_title": "harden dompurify usage", - "description": "DOMPurify.sanitize() was called without using RETURN_DOM or RETURN_DOM_FRAGMENT. This is prone to mutation XSS, which could possibly bypass existing XSS filters. Adding one of these options will harden against potential future DOMPurify exploits.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "multiargs-code-execution", - "display_name": "MultiargsCodeExecution", - "severity": "warning", - "category": "security", - "rule_title": "multiargs code execution", - "description": "Potential arbitrary code execution, piped to eval\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "deno-dangerous-run", - "display_name": "DenoDangerousRun", - "severity": "error", - "category": "security", - "rule_title": "deno dangerous run", - "description": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "wkhtmltopdf-injection", - "display_name": "WkhtmltopdfInjection", - "severity": "warning", - "category": "security", - "rule_title": "wkhtmltopdf injection", - "description": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "puppeteer-evaluate-code-injection", - "display_name": "PuppeteerEvaluateCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "puppeteer evaluate code injection", - "description": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "puppeteer-setcontent-injection", - "display_name": "PuppeteerSetcontentInjection", - "severity": "warning", - "category": "security", - "rule_title": "puppeteer setcontent injection", - "description": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "puppeteer-evaluate-arg-injection", - "display_name": "PuppeteerEvaluateArgInjection", - "severity": "warning", - "category": "security", - "rule_title": "puppeteer evaluate arg injection", - "description": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "puppeteer-goto-injection", - "display_name": "PuppeteerGotoInjection", - "severity": "warning", - "category": "security", - "rule_title": "puppeteer goto injection", - "description": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "puppeteer-exposed-chrome-devtools", - "display_name": "PuppeteerExposedChromeDevtools", - "severity": "warning", - "category": "security", - "rule_title": "puppeteer exposed chrome devtools", - "description": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "unsafe-argon2-config", - "display_name": "UnsafeArgon2Config", - "severity": "warning", - "category": "security", - "rule_title": "unsafe argon2 config", - "description": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "grpc-nodejs-insecure-connection", - "display_name": "GrpcNodejsInsecureConnection", - "severity": "error", - "category": "security", - "rule_title": "grpc nodejs insecure connection", - "description": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-jwt-hardcoded-secret", - "display_name": "ExpressJwtHardcodedSecret", - "severity": "warning", - "category": "security", - "rule_title": "express jwt hardcoded secret", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "cors-misconfiguration", - "display_name": "CorsMisconfiguration", - "severity": "warning", - "category": "security", - "rule_title": "cors misconfiguration", - "description": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-vm2-injection", - "display_name": "ExpressVm2Injection", - "severity": "warning", - "category": "security", - "rule_title": "express vm2 injection", - "description": "Make sure that unverified user data can not reach `vm2`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-xml2json-xxe", - "display_name": "ExpressXml2jsonXxe", - "severity": "error", - "category": "security", - "rule_title": "express xml2json xxe", - "description": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-data-exfiltration", - "display_name": "ExpressDataExfiltration", - "severity": "warning", - "category": "security", - "rule_title": "express data exfiltration", - "description": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-phantom-injection", - "display_name": "ExpressPhantomInjection", - "severity": "error", - "category": "security", - "rule_title": "express phantom injection", - "description": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-vm-injection", - "display_name": "ExpressVmInjection", - "severity": "error", - "category": "security", - "rule_title": "express vm injection", - "description": "Make sure that unverified user data can not reach `$VM`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-expat-xxe", - "display_name": "ExpressExpatXxe", - "severity": "error", - "category": "security", - "rule_title": "express expat xxe", - "description": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "x-frame-options-misconfiguration", - "display_name": "XFrameOptionsMisconfiguration", - "severity": "warning", - "category": "security", - "rule_title": "x frame options misconfiguration", - "description": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "require-request", - "display_name": "RequireRequest", - "severity": "error", - "category": "security", - "rule_title": "require request", - "description": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-wkhtmltoimage-injection", - "display_name": "ExpressWkhtmltoimageInjection", - "severity": "error", - "category": "security", - "rule_title": "express wkhtmltoimage injection", - "description": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-wkhtmltopdf-injection", - "display_name": "ExpressWkhtmltopdfInjection", - "severity": "error", - "category": "security", - "rule_title": "express wkhtmltopdf injection", - "description": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-insecure-template-usage", - "display_name": "ExpressInsecureTemplateUsage", - "severity": "warning", - "category": "security", - "rule_title": "express insecure template usage", - "description": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-puppeteer-injection", - "display_name": "ExpressPuppeteerInjection", - "severity": "error", - "category": "security", - "rule_title": "express puppeteer injection", - "description": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-sandbox-code-injection", - "display_name": "ExpressSandboxCodeInjection", - "severity": "error", - "category": "security", - "rule_title": "express sandbox code injection", - "description": "Make sure that unverified user data can not reach `sandbox`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-third-party-object-deserialization", - "display_name": "ExpressThirdPartyObjectDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "express third party object deserialization", - "description": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-detect-notevil-usage", - "display_name": "ExpressDetectNotevilUsage", - "severity": "warning", - "category": "security", - "rule_title": "express detect notevil usage", - "description": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-ssrf", - "display_name": "ExpressSsrf", - "severity": "warning", - "category": "security", - "rule_title": "express ssrf", - "description": "The following request $REQ1.$METHOD1($QUERY) was found to be crafted from user-input which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-libxml-vm-noent", - "display_name": "ExpressLibxmlVmNoent", - "severity": "warning", - "category": "security", - "rule_title": "express libxml vm noent", - "description": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-res-sendfile", - "display_name": "ExpressResSendfile", - "severity": "warning", - "category": "security", - "rule_title": "express res sendfile", - "description": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-check-directory-listing", - "display_name": "ExpressCheckDirectoryListing", - "severity": "warning", - "category": "security", - "rule_title": "express check directory listing", - "description": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-open-redirect", - "display_name": "ExpressOpenRedirect", - "severity": "warning", - "category": "security", - "rule_title": "express open redirect", - "description": "The application redirects to a URL specified by user-supplied input ($QUERY) that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-session-hardcoded-secret", - "display_name": "ExpressSessionHardcodedSecret", - "severity": "warning", - "category": "security", - "rule_title": "express session hardcoded secret", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-cookie-session-default-name", - "display_name": "ExpressCookieSessionDefaultName", - "severity": "warning", - "category": "security", - "rule_title": "express cookie session default name", - "description": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-cookie-session-no-secure", - "display_name": "ExpressCookieSessionNoSecure", - "severity": "warning", - "category": "security", - "rule_title": "express cookie session no secure", - "description": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-cookie-session-no-httponly", - "display_name": "ExpressCookieSessionNoHttponly", - "severity": "warning", - "category": "security", - "rule_title": "express cookie session no httponly", - "description": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-cookie-session-no-domain", - "display_name": "ExpressCookieSessionNoDomain", - "severity": "warning", - "category": "security", - "rule_title": "express cookie session no domain", - "description": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-cookie-session-no-path", - "display_name": "ExpressCookieSessionNoPath", - "severity": "warning", - "category": "security", - "rule_title": "express cookie session no path", - "description": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-cookie-session-no-expires", - "display_name": "ExpressCookieSessionNoExpires", - "severity": "warning", - "category": "security", - "rule_title": "express cookie session no expires", - "description": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "remote-property-injection", - "display_name": "RemotePropertyInjection", - "severity": "error", - "category": "security", - "rule_title": "remote property injection", - "description": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "unknown-value-in-redirect", - "display_name": "UnknownValueInRedirect", - "severity": "warning", - "category": "security", - "rule_title": "unknown value in redirect", - "description": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-check-csurf-middleware-usage", - "display_name": "ExpressCheckCsurfMiddlewareUsage", - "severity": "info", - "category": "security", - "rule_title": "express check csurf middleware usage", - "description": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-path-join-resolve-traversal", - "display_name": "ExpressPathJoinResolveTraversal", - "severity": "warning", - "category": "security", - "rule_title": "express path join resolve traversal", - "description": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "res-render-injection", - "display_name": "ResRenderInjection", - "severity": "warning", - "category": "security", - "rule_title": "res render injection", - "description": "If an attacker controls the x in res.render(x) then they can cause code to load that was not intended to run on the server.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-libxml-noent", - "display_name": "ExpressLibxmlNoent", - "severity": "error", - "category": "security", - "rule_title": "express libxml noent", - "description": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-xml2json-xxe-event", - "display_name": "ExpressXml2jsonXxeEvent", - "severity": "warning", - "category": "security", - "rule_title": "express xml2json xxe event", - "description": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-jwt-not-revoked", - "display_name": "ExpressJwtNotRevoked", - "severity": "warning", - "category": "security", - "rule_title": "express jwt not revoked", - "description": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "direct-response-write", - "display_name": "DirectResponseWrite", - "severity": "warning", - "category": "security", - "rule_title": "direct response write", - "description": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "var-in-script-tag", - "display_name": "VarInScriptTag", - "severity": "warning", - "category": "security", - "rule_title": "var in script tag", - "description": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n{\"include\": [\"*.pug\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "js", - "python", - "ruby" - ], - "labels": [] - }, - { - "real_name": "var-in-href", - "display_name": "VarInHref", - "severity": "warning", - "category": "security", - "rule_title": "var in href", - "description": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href='/'+url). You may also consider setting the Content Security Policy (CSP) header.\n{\"include\": [\"*.pug\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "js", - "ruby" - ], - "labels": [] - }, - { - "real_name": "template-and-attributes", - "display_name": "TemplateAndAttributes", - "severity": "warning", - "category": "security", - "rule_title": "template and attributes", - "description": "Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n{\"include\": [\"*.pug\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "template-explicit-unescape", - "display_name": "TemplateExplicitUnescape", - "severity": "warning", - "category": "security", - "rule_title": "template explicit unescape", - "description": "Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n{\"include\": [\"*.pug\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "var-in-script-src", - "display_name": "VarInScriptSrc", - "severity": "warning", - "category": "security", - "rule_title": "var in script src", - "description": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\n{\"include\": [\"*.ejs\", \"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "escape-function-overwrite", - "display_name": "EscapeFunctionOverwrite", - "severity": "warning", - "category": "security", - "rule_title": "escape function overwrite", - "description": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "sax-xxe", - "display_name": "SaxXxe", - "severity": "warning", - "category": "security", - "rule_title": "sax xxe", - "description": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "unsafe-serialize-javascript", - "display_name": "UnsafeSerializeJavascript", - "severity": "warning", - "category": "security", - "rule_title": "unsafe serialize javascript", - "description": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "chrome-remote-interface-printtopdf-injection", - "display_name": "ChromeRemoteInterfacePrinttopdfInjection", - "severity": "warning", - "category": "security", - "rule_title": "chrome remote interface printtopdf injection", - "description": "If unverified user data can reach the `printToPDF` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "chrome-remote-interface-navigate-injection", - "display_name": "ChromeRemoteInterfaceNavigateInjection", - "severity": "warning", - "category": "security", - "rule_title": "chrome remote interface navigate injection", - "description": "If unverified user data can reach the `navigate` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "chrome-remote-interface-evaluate-injection", - "display_name": "ChromeRemoteInterfaceEvaluateInjection", - "severity": "warning", - "category": "security", - "rule_title": "chrome remote interface evaluate injection", - "description": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "chrome-remote-interface-compilescript-injection", - "display_name": "ChromeRemoteInterfaceCompilescriptInjection", - "severity": "warning", - "category": "security", - "rule_title": "chrome remote interface compilescript injection", - "description": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "chrome-remote-interface-setdocumentcontent-injection", - "display_name": "ChromeRemoteInterfaceSetdocumentcontentInjection", - "severity": "warning", - "category": "security", - "rule_title": "chrome remote interface setdocumentcontent injection", - "description": "If unverified user data can reach the `setDocumentContent` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "avoid-v-html", - "display_name": "AvoidVHtml", - "severity": "warning", - "category": "security", - "rule_title": "avoid v html", - "description": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\n{\"include\": [\"*.vue\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jwt-exposed-credentials", - "display_name": "JwtExposedCredentials", - "severity": "error", - "category": "security", - "rule_title": "jwt exposed credentials", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jwt-none-alg", - "display_name": "JwtNoneAlg", - "severity": "error", - "category": "security", - "rule_title": "jwt none alg", - "description": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "hardcoded-jwt-secret", - "display_name": "HardcodedJwtSecret", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded jwt secret", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jwt-decode-without-verify", - "display_name": "JwtDecodeWithoutVerify", - "severity": "warning", - "category": "security", - "rule_title": "jwt decode without verify", - "description": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jwt-exposed-data", - "display_name": "JwtExposedData", - "severity": "warning", - "category": "security", - "rule_title": "jwt exposed data", - "description": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jquery-insecure-method", - "display_name": "JqueryInsecureMethod", - "severity": "warning", - "category": "security", - "rule_title": "jquery insecure method", - "description": "User controlled data in a jQuery's `.$METHOD(...)` is an anti-pattern that can lead to XSS vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "prohibit-jquery-html", - "display_name": "ProhibitJqueryHtml", - "severity": "warning", - "category": "security", - "rule_title": "prohibit jquery html", - "description": "JQuery's `html` function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider `text` instead. Otherwise, use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jquery-insecure-selector", - "display_name": "JqueryInsecureSelector", - "severity": "warning", - "category": "security", - "rule_title": "jquery insecure selector", - "description": "User controlled data in a `$(...)` is an anti-pattern that can lead to XSS vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "shelljs-exec-injection", - "display_name": "ShelljsExecInjection", - "severity": "error", - "category": "security", - "rule_title": "shelljs exec injection", - "description": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-resource-loading", - "display_name": "DetectAngularResourceLoading", - "severity": "warning", - "category": "security", - "rule_title": "detect angular resource loading", - "description": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-trust-as-url-method", - "display_name": "DetectAngularTrustAsUrlMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular trust as url method", - "description": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-element-taint", - "display_name": "DetectAngularElementTaint", - "severity": "warning", - "category": "security", - "rule_title": "detect angular element taint", - "description": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preseved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-trust-as-css-method", - "display_name": "DetectAngularTrustAsCssMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular trust as css method", - "description": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-trust-as-method", - "display_name": "DetectAngularTrustAsMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular trust as method", - "description": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-trust-as-js-method", - "display_name": "DetectAngularTrustAsJsMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular trust as js method", - "description": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-translateprovider-useStrategy-method", - "display_name": "DetectAngularTranslateproviderUsestrategyMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular translateprovider useStrategy method", - "description": "If the $translateSanitization.useStrategy is set to null or blank this can be dangerous.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-translateprovider-translations-method", - "display_name": "DetectAngularTranslateproviderTranslationsMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular translateprovider translations method", - "description": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-sce-disabled", - "display_name": "DetectAngularSceDisabled", - "severity": "error", - "category": "security", - "rule_title": "detect angular sce disabled", - "description": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-open-redirect", - "display_name": "DetectAngularOpenRedirect", - "severity": "error", - "category": "security", - "rule_title": "detect angular open redirect", - "description": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-trust-as-html-method", - "display_name": "DetectAngularTrustAsHtmlMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular trust as html method", - "description": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-element-methods", - "display_name": "DetectAngularElementMethods", - "severity": "info", - "category": "security", - "rule_title": "detect angular element methods", - "description": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preseved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-angular-trust-as-resourceurl-method", - "display_name": "DetectAngularTrustAsResourceurlMethod", - "severity": "warning", - "category": "security", - "rule_title": "detect angular trust as resourceurl method", - "description": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm2-code-injection", - "display_name": "Vm2CodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm2 code injection", - "description": "Make sure that unverified user data can not reach `vm2`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm2-context-injection", - "display_name": "Vm2ContextInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm2 context injection", - "description": "Make sure that unverified user data can not reach `vm2`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "tainted-eval", - "display_name": "TaintedEval", - "severity": "warning", - "category": "security", - "rule_title": "tainted eval", - "description": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "mysql-sqli", - "display_name": "MysqlSqli", - "severity": "warning", - "category": "security", - "rule_title": "mysql sqli", - "description": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`\n", - "rule_params": null, - "solution": null, - "languages": [ - "js", - "python" - ], - "labels": [] - }, - { - "real_name": "sequelize-sqli", - "display_name": "SequelizeSqli", - "severity": "warning", - "category": "security", - "rule_title": "sequelize sqli", - "description": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "tainted-html-response", - "display_name": "TaintedHtmlResponse", - "severity": "warning", - "category": "security", - "rule_title": "tainted html response", - "description": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js", - "python" - ], - "labels": [] - }, - { - "real_name": "knex-sqli", - "display_name": "KnexSqli", - "severity": "warning", - "category": "security", - "rule_title": "knex sqli", - "description": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "dynamodb-request-object", - "display_name": "DynamodbRequestObject", - "severity": "error", - "category": "security", - "rule_title": "dynamodb request object", - "description": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-child-process", - "display_name": "DetectChildProcess", - "severity": "error", - "category": "security", - "rule_title": "detect child process", - "description": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-runincontext-injection", - "display_name": "VmRunincontextInjection", - "severity": "error", - "category": "security", - "rule_title": "vm runincontext injection", - "description": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "playwright-setcontent-injection", - "display_name": "PlaywrightSetcontentInjection", - "severity": "warning", - "category": "security", - "rule_title": "playwright setcontent injection", - "description": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "playwright-evaluate-arg-injection", - "display_name": "PlaywrightEvaluateArgInjection", - "severity": "warning", - "category": "security", - "rule_title": "playwright evaluate arg injection", - "description": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "playwright-exposed-chrome-devtools", - "display_name": "PlaywrightExposedChromeDevtools", - "severity": "warning", - "category": "security", - "rule_title": "playwright exposed chrome devtools", - "description": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "playwright-evaluate-code-injection", - "display_name": "PlaywrightEvaluateCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "playwright evaluate code injection", - "description": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "playwright-addinitscript-code-injection", - "display_name": "PlaywrightAddinitscriptCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "playwright addinitscript code injection", - "description": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "playwright-goto-injection", - "display_name": "PlaywrightGotoInjection", - "severity": "warning", - "category": "security", - "rule_title": "playwright goto injection", - "description": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "jose-exposed-data", - "display_name": "JoseExposedData", - "severity": "warning", - "category": "security", - "rule_title": "jose exposed data", - "description": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-buffer-noassert", - "display_name": "DetectBufferNoassert", - "severity": "warning", - "category": "security", - "rule_title": "detect buffer noassert", - "description": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "insecure-object-assign", - "display_name": "InsecureObjectAssign", - "severity": "warning", - "category": "security", - "rule_title": "insecure object assign", - "description": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-no-csrf-before-method-override", - "display_name": "DetectNoCsrfBeforeMethodOverride", - "severity": "warning", - "category": "security", - "rule_title": "detect no csrf before method override", - "description": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-insecure-websocket", - "display_name": "DetectInsecureWebsocket", - "severity": "error", - "category": "security", - "rule_title": "detect insecure websocket", - "description": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-disable-mustache-escape", - "display_name": "DetectDisableMustacheEscape", - "severity": "warning", - "category": "security", - "rule_title": "detect disable mustache escape", - "description": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-pseudoRandomBytes", - "display_name": "DetectPseudorandombytes", - "severity": "warning", - "category": "security", - "rule_title": "detect pseudoRandomBytes", - "description": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-non-literal-require", - "display_name": "DetectNonLiteralRequire", - "severity": "warning", - "category": "security", - "rule_title": "detect non literal require", - "description": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "spawn-git-clone", - "display_name": "SpawnGitClone", - "severity": "error", - "category": "security", - "rule_title": "spawn git clone", - "description": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-eval-with-expression", - "display_name": "DetectEvalWithExpression", - "severity": "warning", - "category": "security", - "rule_title": "detect eval with expression", - "description": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "html-in-template-string", - "display_name": "HtmlInTemplateString", - "severity": "warning", - "category": "security", - "rule_title": "html in template string", - "description": "This template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "code-string-concat", - "display_name": "CodeStringConcat", - "severity": "warning", - "category": "security", - "rule_title": "code string concat", - "description": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "non-constant-sql-query", - "display_name": "NonConstantSqlQuery", - "severity": "info", - "category": "security", - "rule_title": "non constant sql query", - "description": "Non-constant SQL query detected. Ensure this is not controlled by external data, otherwise this is a SQL injection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-runincontext-context-injection", - "display_name": "VmRunincontextContextInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm runincontext context injection", - "description": "Make sure that unverified user data can not reach vm.runInContext.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-runinnewcontext-context-injection", - "display_name": "VmRuninnewcontextContextInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm runinnewcontext context injection", - "description": "Make sure that unverified user data can not reach vm.runInNewContext.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-compilefunction-context-injection", - "display_name": "VmCompilefunctionContextInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm compilefunction context injection", - "description": "Make sure that unverified user data can not reach vm.compileFunction.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-script-code-injection", - "display_name": "VmScriptCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm script code injection", - "description": "Make sure that unverified user data can not reach vm.Script.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-sourcetextmodule-code-injection", - "display_name": "VmSourcetextmoduleCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm sourcetextmodule code injection", - "description": "Make sure that unverified user data can not reach vm.SourceTextModule.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-runincontext-code-injection", - "display_name": "VmRunincontextCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm runincontext code injection", - "description": "Make sure that unverified user data can not reach vm.runInContext.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-runinnewcontext-code-injection", - "display_name": "VmRuninnewcontextCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm runinnewcontext code injection", - "description": "Make sure that unverified user data can not reach vm.runInNewContext.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-runinthiscontext-code-injection", - "display_name": "VmRuninthiscontextCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm runinthiscontext code injection", - "description": "Make sure that unverified user data can not reach vm.runInThisContext.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "vm-compilefunction-code-injection", - "display_name": "VmCompilefunctionCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "vm compilefunction code injection", - "description": "Make sure that unverified user data can not reach vm.compileFunction.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "unsafe-dynamic-method", - "display_name": "UnsafeDynamicMethod", - "severity": "warning", - "category": "security", - "rule_title": "unsafe dynamic method", - "description": "Using non-static data to retrieve and run functions from the object is dangerous. If the data is user-controlled, it may allow executing arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-bracket-object-injection", - "display_name": "DetectBracketObjectInjection", - "severity": "info", - "category": "security", - "rule_title": "detect bracket object injection", - "description": "This rule is deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "hardcoded-hmac-key", - "display_name": "HardcodedHmacKey", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded hmac key", - "description": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "unknown-value-with-script-tag", - "display_name": "UnknownValueWithScriptTag", - "severity": "warning", - "category": "security", - "rule_title": "unknown value with script tag", - "description": "Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "js-open-redirect-from-function", - "display_name": "JsOpenRedirectFromFunction", - "severity": "info", - "category": "security", - "rule_title": "js open redirect from function", - "description": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "eval-detected", - "display_name": "EvalDetected", - "severity": "warning", - "category": "security", - "rule_title": "eval detected", - "description": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js", - "python" - ], - "labels": [] - }, - { - "real_name": "insufficient-postmessage-origin-validation", - "display_name": "InsufficientPostmessageOriginValidation", - "severity": "warning", - "category": "security", - "rule_title": "insufficient postmessage origin validation", - "description": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "tofastproperties-code-execution", - "display_name": "TofastpropertiesCodeExecution", - "severity": "warning", - "category": "security", - "rule_title": "tofastproperties code execution", - "description": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "detect-replaceall-sanitization", - "display_name": "DetectReplaceallSanitization", - "severity": "info", - "category": "security", - "rule_title": "detect replaceall sanitization", - "description": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "apollo-axios-ssrf", - "display_name": "ApolloAxiosSsrf", - "severity": "warning", - "category": "security", - "rule_title": "apollo axios ssrf", - "description": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "sandbox-code-injection", - "display_name": "SandboxCodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "sandbox code injection", - "description": "Make sure that unverified user data can not reach `sandbox`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "sequelize-enforce-tls", - "display_name": "SequelizeEnforceTls", - "severity": "warning", - "category": "security", - "rule_title": "sequelize enforce tls", - "description": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "sequelize-tls-disabled-cert-validation", - "display_name": "SequelizeTlsDisabledCertValidation", - "severity": "error", - "category": "security", - "rule_title": "sequelize tls disabled cert validation", - "description": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "express-sequelize-injection", - "display_name": "ExpressSequelizeInjection", - "severity": "error", - "category": "security", - "rule_title": "express sequelize injection", - "description": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "sequelize-raw-query", - "display_name": "SequelizeRawQuery", - "severity": "warning", - "category": "security", - "rule_title": "sequelize raw query", - "description": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. Data replacement or data binding should be used. See https://sequelize.org/master/manual/raw-queries.html\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "sequelize-weak-tls-version", - "display_name": "SequelizeWeakTlsVersion", - "severity": "warning", - "category": "security", - "rule_title": "sequelize weak tls version", - "description": "TLS1.0 and TLS1.1 are deprecated and should be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "hardcoded-passport-secret", - "display_name": "HardcodedPassportSecret", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded passport secret", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "expat-xxe", - "display_name": "ExpatXxe", - "severity": "warning", - "category": "security", - "rule_title": "expat xxe", - "description": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "xml2json-xxe", - "display_name": "Xml2jsonXxe", - "severity": "warning", - "category": "security", - "rule_title": "xml2json xxe", - "description": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "insecure-createnodesfrommarkup", - "display_name": "InsecureCreatenodesfrommarkup", - "severity": "warning", - "category": "security", - "rule_title": "insecure createnodesfrommarkup", - "description": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "wkhtmltoimage-injection", - "display_name": "WkhtmltoimageInjection", - "severity": "warning", - "category": "security", - "rule_title": "wkhtmltoimage injection", - "description": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "calling-set-state-on-current-state", - "display_name": "CallingSetStateOnCurrentState", - "severity": "error", - "category": "correctness", - "rule_title": "calling set state on current state", - "description": "Calling setState on the current state is always a no-op. Did you mean to change the state like $Y(!$X) instead?\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "monaco-hover-htmlsupport", - "display_name": "MonacoHoverHtmlsupport", - "severity": "warning", - "category": "security", - "rule_title": "monaco hover htmlsupport", - "description": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "ajv-allerrors-true", - "display_name": "AjvAllerrorsTrue", - "severity": "warning", - "category": "security", - "rule_title": "ajv allerrors true", - "description": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "phantom-injection", - "display_name": "PhantomInjection", - "severity": "warning", - "category": "security", - "rule_title": "phantom injection", - "description": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "angular-bypasssecuritytrust", - "display_name": "AngularBypasssecuritytrust", - "severity": "warning", - "category": "security", - "rule_title": "angular bypasssecuritytrust", - "description": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "cors-regex-wildcard", - "display_name": "CorsRegexWildcard", - "severity": "warning", - "category": "security", - "rule_title": "cors regex wildcard", - "description": "Unescaped '.' character in CORS domain regex $CORS: $PATTERN\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "useless-ternary", - "display_name": "UselessTernary", - "severity": "error", - "category": "correctness", - "rule_title": "useless ternary", - "description": "It looks like no matter how $CONDITION is evaluated, this expression returns $ANS. This is probably a copy-paste error.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "moment-deprecated", - "display_name": "MomentDeprecated", - "severity": "info", - "category": "correctness", - "rule_title": "moment deprecated", - "description": "Moment is a legacy project in maintenance mode. Consider using libraries that are actively supported, e.g. `dayjs`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "nestjs-header-xss-disabled", - "display_name": "NestjsHeaderXssDisabled", - "severity": "warning", - "category": "security", - "rule_title": "nestjs header xss disabled", - "description": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "nestjs-open-redirect", - "display_name": "NestjsOpenRedirect", - "severity": "warning", - "category": "security", - "rule_title": "nestjs open redirect", - "description": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "nestjs-header-cors-any", - "display_name": "NestjsHeaderCorsAny", - "severity": "warning", - "category": "security", - "rule_title": "nestjs header cors any", - "description": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-controlled-component-password", - "display_name": "ReactControlledComponentPassword", - "severity": "warning", - "category": "security", - "rule_title": "react controlled component password", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-markdown-insecure-html", - "display_name": "ReactMarkdownInsecureHtml", - "severity": "warning", - "category": "security", - "rule_title": "react markdown insecure html", - "description": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-insecure-request", - "display_name": "ReactInsecureRequest", - "severity": "error", - "category": "security", - "rule_title": "react insecure request", - "description": "Unencrypted request over HTTP detected.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-missing-noopener", - "display_name": "ReactMissingNoopener", - "severity": "info", - "category": "security", - "rule_title": "react missing noopener", - "description": "Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-href-var", - "display_name": "ReactHrefVar", - "severity": "warning", - "category": "security", - "rule_title": "react href var", - "description": "Detected a variable used in an anchor tag with the 'href' attribute. A malicious actor may be able to input the 'javascript:' URI, which could cause cross-site scripting (XSS). It is recommended to disallow 'javascript:' URIs within your application.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-http-leak", - "display_name": "ReactHttpLeak", - "severity": "warning", - "category": "security", - "rule_title": "react http leak", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-dangerouslysetinnerhtml", - "display_name": "ReactDangerouslysetinnerhtml", - "severity": "warning", - "category": "security", - "rule_title": "react dangerouslysetinnerhtml", - "description": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to santize your HTML.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-router-redirect", - "display_name": "ReactRouterRedirect", - "severity": "warning", - "category": "security", - "rule_title": "react router redirect", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-html-element-spreading", - "display_name": "ReactHtmlElementSpreading", - "severity": "warning", - "category": "security", - "rule_title": "react html element spreading", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-jwt-in-localstorage", - "display_name": "ReactJwtInLocalstorage", - "severity": "info", - "category": "security", - "rule_title": "react jwt in localstorage", - "description": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-props-injection", - "display_name": "ReactPropsInjection", - "severity": "warning", - "category": "security", - "rule_title": "react props injection", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-styled-components-injection", - "display_name": "ReactStyledComponentsInjection", - "severity": "warning", - "category": "security", - "rule_title": "react styled components injection", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-unsanitized-method", - "display_name": "ReactUnsanitizedMethod", - "severity": "warning", - "category": "security", - "rule_title": "react unsanitized method", - "description": "User controlled data in a insertAdjacentHTML, document.write or document.writeln is an anti-pattern that can lead to XSS vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-missing-noreferrer", - "display_name": "ReactMissingNoreferrer", - "severity": "info", - "category": "security", - "rule_title": "react missing noreferrer", - "description": "This anchor tag with 'target=\"_blank\"' is missing 'noreferrer' or 'noopener'. A page opened with 'target=\"_blank\"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noreferrer' or 'rel=noopener' on this tag.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-css-injection", - "display_name": "ReactCssInjection", - "severity": "warning", - "category": "security", - "rule_title": "react css injection", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-no-refs", - "display_name": "ReactNoRefs", - "severity": "warning", - "category": "security", - "rule_title": "react no refs", - "description": "this rule has been deprecated.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-jwt-decoded-property", - "display_name": "ReactJwtDecodedProperty", - "severity": "info", - "category": "security", - "rule_title": "react jwt decoded property", - "description": "Property decoded from JWT token without verifying and cannot be trustworthy.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-unsanitized-property", - "display_name": "ReactUnsanitizedProperty", - "severity": "error", - "category": "security", - "rule_title": "react unsanitized property", - "description": "User controlled data in a `$X` is an anti-pattern that can lead to XSS vulnerabilities\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "jsx-not-internationalized", - "display_name": "JsxNotInternationalized", - "severity": "warning", - "category": "security", - "rule_title": "jsx not internationalized", - "description": "JSX element not internationalized: '$MESSAGE'. You should support different languages in your website or app with internationalization. Instead, use packages such as `i18next` in order to internationlize your elements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "jsx-label-not-i18n", - "display_name": "JsxLabelNotI18n", - "severity": "warning", - "category": "security", - "rule_title": "jsx label not i18n", - "description": "JSX Component label not internationalized: '$MESSAGE'\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "i18next-key-format", - "display_name": "I18nextKeyFormat", - "severity": "warning", - "category": "security", - "rule_title": "i18next key format", - "description": "Translation key '$KEY' should match format 'MODULE.FEATURE.*'\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "useselect-label-not-i18n", - "display_name": "UseselectLabelNotI18n", - "severity": "warning", - "category": "security", - "rule_title": "useselect label not i18n", - "description": "React useSelect() label is not internationalized - '$LABEL'. You should support different langauges in your website or app with internationalization. Instead, use packages such as `i18next` to internationalize your elements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "mui-snackbar-message", - "display_name": "MuiSnackbarMessage", - "severity": "warning", - "category": "security", - "rule_title": "mui snackbar message", - "description": "React MUI enqueueSnackbar() title is not internationalized: '$MESSAGE'\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-props-in-state", - "display_name": "ReactPropsInState", - "severity": "warning", - "category": "correctness", - "rule_title": "react props in state", - "description": "It is a bad practice to stop the data flow in rendering by copying props into state.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-legacy-component", - "display_name": "ReactLegacyComponent", - "severity": "warning", - "category": "correctness", - "rule_title": "react legacy component", - "description": "Legacy component lifecycle was detected - $METHOD.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-props-spreading", - "display_name": "ReactPropsSpreading", - "severity": "warning", - "category": "correctness", - "rule_title": "react props spreading", - "description": "It's best practice to explicitly pass props to an HTML component rather than use the spread operator. The spread operator risks passing invalid HTML props to an HTML element, which can cause console warnings or worse, give malicious actors a way to inject unexpected attributes.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "define-styled-components-on-module-level", - "display_name": "DefineStyledComponentsOnModuleLevel", - "severity": "warning", - "category": "correctness", - "rule_title": "define styled components on module level", - "description": "By declaring a styled component inside the render method of a react component, you are dynamically creating a new component on every render. This means that React will have to discard and re-calculate that part of the DOM subtree on each subsequent render, instead of just calculating the difference of what changed between them. This leads to performance bottlenecks and unpredictable behavior.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "react-find-dom", - "display_name": "ReactFindDom", - "severity": "warning", - "category": "correctness", - "rule_title": "react find dom", - "description": "findDOMNode is an escape hatch used to access the underlying DOM node. In most cases, use of this escape hatch is discouraged because it pierces the component abstraction.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ts" - ], - "labels": [] - }, - { - "real_name": "assert-use", - "display_name": "AssertUse", - "severity": "error", - "category": "security", - "rule_title": "assert use", - "description": "Calling assert with user input is equivalent to eval'ing.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "ldap-bind-without-password", - "display_name": "LdapBindWithoutPassword", - "severity": "warning", - "category": "security", - "rule_title": "ldap bind without password", - "description": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "exec-use", - "display_name": "ExecUse", - "severity": "error", - "category": "security", - "rule_title": "exec use", - "description": "Executing non-constant commands. This can lead to command injection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "phpinfo-use", - "display_name": "PhpinfoUse", - "severity": "error", - "category": "security", - "rule_title": "phpinfo use", - "description": "The 'phpinfo' function may reveal sensitive information about your environment.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "unlink-use", - "display_name": "UnlinkUse", - "severity": "warning", - "category": "security", - "rule_title": "unlink use", - "description": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "ftp-use", - "display_name": "FtpUse", - "severity": "error", - "category": "security", - "rule_title": "ftp use", - "description": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "extract-user-data", - "display_name": "ExtractUserData", - "severity": "error", - "category": "security", - "rule_title": "extract user data", - "description": "Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "non-literal-header", - "display_name": "NonLiteralHeader", - "severity": "warning", - "category": "security", - "rule_title": "non literal header", - "description": "Using user input when setting headers with `header()` is potentially dangerous. This could allow an attacker to inject a new line and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace inside `header()`: '[^\\s]+'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "openssl-cbc-static-iv", - "display_name": "OpensslCbcStaticIv", - "severity": "error", - "category": "security", - "rule_title": "openssl cbc static iv", - "description": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "php-permissive-cors", - "display_name": "PhpPermissiveCors", - "severity": "warning", - "category": "security", - "rule_title": "php permissive cors", - "description": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "mcrypt-use", - "display_name": "McryptUse", - "severity": "error", - "category": "security", - "rule_title": "mcrypt use", - "description": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "unserialize-use", - "display_name": "UnserializeUse", - "severity": "warning", - "category": "security", - "rule_title": "unserialize use", - "description": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "curl-ssl-verifypeer-off", - "display_name": "CurlSslVerifypeerOff", - "severity": "error", - "category": "security", - "rule_title": "curl ssl verifypeer off", - "description": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "eval-use", - "display_name": "EvalUse", - "severity": "error", - "category": "security", - "rule_title": "eval use", - "description": "Evaluating non-constant commands. This can lead to command injection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "weak-crypto", - "display_name": "WeakCrypto", - "severity": "error", - "category": "security", - "rule_title": "weak crypto", - "description": "Detected usage of weak crypto function. Consider using stronger alternatives.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "md5-loose-equality", - "display_name": "Md5LooseEquality", - "severity": "error", - "category": "security", - "rule_title": "md5 loose equality", - "description": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "mb-ereg-replace-eval", - "display_name": "MbEregReplaceEval", - "severity": "error", - "category": "security", - "rule_title": "mb ereg replace eval", - "description": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "backticks-use", - "display_name": "BackticksUse", - "severity": "error", - "category": "security", - "rule_title": "backticks use", - "description": "Backticks use may lead to command injection vulnerabilities.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "preg-replace-eval", - "display_name": "PregReplaceEval", - "severity": "error", - "category": "security", - "rule_title": "preg replace eval", - "description": "Calling preg_replace with user input in the pattern can lead to arbitrary code execution. The eval modifier (`/e`) evaluates the replacement argument as code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "file-inclusion", - "display_name": "FileInclusion", - "severity": "error", - "category": "security", - "rule_title": "file inclusion", - "description": "Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "openssl-decrypt-validate", - "display_name": "OpensslDecryptValidate", - "severity": "warning", - "category": "security", - "rule_title": "openssl decrypt validate", - "description": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "tainted-object-instantiation", - "display_name": "TaintedObjectInstantiation", - "severity": "warning", - "category": "security", - "rule_title": "tainted object instantiation", - "description": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "tainted-filename", - "display_name": "TaintedFilename", - "severity": "warning", - "category": "security", - "rule_title": "tainted filename", - "description": "File name based on user input risks server-side request forgery.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "doctrine-dbal-dangerous-query", - "display_name": "DoctrineDbalDangerousQuery", - "severity": "warning", - "category": "security", - "rule_title": "doctrine dbal dangerous query", - "description": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "doctrine-orm-dangerous-query", - "display_name": "DoctrineOrmDangerousQuery", - "severity": "warning", - "category": "security", - "rule_title": "doctrine orm dangerous query", - "description": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "symfony-permissive-cors", - "display_name": "SymfonyPermissiveCors", - "severity": "warning", - "category": "security", - "rule_title": "symfony permissive cors", - "description": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "symfony-csrf-protection-disabled", - "display_name": "SymfonyCsrfProtectionDisabled", - "severity": "warning", - "category": "security", - "rule_title": "symfony csrf protection disabled", - "description": "CSRF is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "symfony-non-literal-redirect", - "display_name": "SymfonyNonLiteralRedirect", - "severity": "warning", - "category": "security", - "rule_title": "symfony non literal redirect", - "description": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-cookie-long-timeout", - "display_name": "LaravelCookieLongTimeout", - "severity": "error", - "category": "security", - "rule_title": "laravel cookie long timeout", - "description": "Found a configuration file where the lifetime attribute is over 30 minutes.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-sql-injection", - "display_name": "LaravelSqlInjection", - "severity": "warning", - "category": "security", - "rule_title": "laravel sql injection", - "description": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-cookie-http-only", - "display_name": "LaravelCookieHttpOnly", - "severity": "error", - "category": "security", - "rule_title": "laravel cookie http only", - "description": "Found a configuration file where the HttpOnly attribute is not set to true. Setting `http_only` to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the 'http_only' like so: `http_only` => true \n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-unsafe-validator", - "display_name": "LaravelUnsafeValidator", - "severity": "error", - "category": "security", - "rule_title": "laravel unsafe validator", - "description": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-blade-form-missing-csrf", - "display_name": "LaravelBladeFormMissingCsrf", - "severity": "error", - "category": "security", - "rule_title": "laravel blade form missing csrf", - "description": "Found a Blade form POST definition without the `@csrf` decorator. State-changing operations using simple HTTP content types should include an antiforgery token.\n{\"include\": [\"*.blade.php\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-cookie-same-site", - "display_name": "LaravelCookieSameSite", - "severity": "error", - "category": "security", - "rule_title": "laravel cookie same site", - "description": "Found a configuration file where the same_site attribute is not set to 'lax' or 'strict'. Setting 'same_site' to 'lax' or 'strict' restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-api-route-sql-injection", - "display_name": "LaravelApiRouteSqlInjection", - "severity": "warning", - "category": "security", - "rule_title": "laravel api route sql injection", - "description": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatentation or unsafe interpolation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-active-debug-code", - "display_name": "LaravelActiveDebugCode", - "severity": "error", - "category": "security", - "rule_title": "laravel active debug code", - "description": "Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-dangerous-model-construction", - "display_name": "LaravelDangerousModelConstruction", - "severity": "error", - "category": "security", - "rule_title": "laravel dangerous model construction", - "description": "Setting `$guarded` to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent's safe-by-default mass assignment protections.\n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-cookie-secure-set", - "display_name": "LaravelCookieSecureSet", - "severity": "error", - "category": "security", - "rule_title": "laravel cookie secure set", - "description": "Found a configuration file where the secure attribute is not set to 'true'. Setting 'secure' to 'true' prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks. \n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "laravel-cookie-null-domain", - "display_name": "LaravelCookieNullDomain", - "severity": "error", - "category": "security", - "rule_title": "laravel cookie null domain", - "description": "Found a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies. \n", - "rule_params": null, - "solution": null, - "languages": [ - "php" - ], - "labels": [] - }, - { - "real_name": "jwt-python-exposed-credentials", - "display_name": "JwtPythonExposedCredentials", - "severity": "error", - "category": "security", - "rule_title": "jwt python exposed credentials", - "description": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "jwt-python-none-alg", - "display_name": "JwtPythonNoneAlg", - "severity": "error", - "category": "security", - "rule_title": "jwt python none alg", - "description": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unverified-jwt-decode", - "display_name": "UnverifiedJwtDecode", - "severity": "error", - "category": "security", - "rule_title": "unverified jwt decode", - "description": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "jwt-python-hardcoded-secret", - "display_name": "JwtPythonHardcodedSecret", - "severity": "error", - "category": "security", - "rule_title": "jwt python hardcoded secret", - "description": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "jwt-python-exposed-data", - "display_name": "JwtPythonExposedData", - "severity": "warning", - "category": "security", - "rule_title": "jwt python exposed data", - "description": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "open-redirect", - "display_name": "OpenRedirect", - "severity": "error", - "category": "security", - "rule_title": "open redirect", - "description": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using 'url_for()' to generate links to known locations. If you must use a URL to unknown pages, consider using 'urlparse()' or similar and checking if the 'netloc' property is the same as your site's host name. See the references for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-deserialization", - "display_name": "InsecureDeserialization", - "severity": "error", - "category": "security", - "rule_title": "insecure deserialization", - "description": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_send_file_without_path_sanitization", - "display_name": "Avoid_send_file_without_path_sanitization", - "severity": "warning", - "category": "security", - "rule_title": "avoid_send_file_without_path_sanitization", - "description": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "flask-api-method-string-format", - "display_name": "FlaskApiMethodStringFormat", - "severity": "error", - "category": "security", - "rule_title": "flask api method string format", - "description": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "response-contains-unsanitized-input", - "display_name": "ResponseContainsUnsanitizedInput", - "severity": "warning", - "category": "security", - "rule_title": "response contains unsanitized input", - "description": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user's browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unescaped-template-extension", - "display_name": "UnescapedTemplateExtension", - "severity": "warning", - "category": "security", - "rule_title": "unescaped template extension", - "description": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-template-string", - "display_name": "DangerousTemplateString", - "severity": "error", - "category": "security", - "rule_title": "dangerous template string", - "description": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-href-var", - "display_name": "TemplateHrefVar", - "severity": "warning", - "category": "security", - "rule_title": "template href var", - "description": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.\n{\"include\": [\"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "direct-use-of-jinja2", - "display_name": "DirectUseOfJinja2", - "severity": "warning", - "category": "security", - "rule_title": "direct use of jinja2", - "description": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-unquoted-attribute-var", - "display_name": "TemplateUnquotedAttributeVar", - "severity": "warning", - "category": "security", - "rule_title": "template unquoted attribute var", - "description": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".\n{\"include\": [\"*.html\", \"*.py\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "explicit-unescape-with-markup", - "display_name": "ExplicitUnescapeWithMarkup", - "severity": "warning", - "category": "security", - "rule_title": "explicit unescape with markup", - "description": "Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-unescaped-with-safe", - "display_name": "TemplateUnescapedWithSafe", - "severity": "warning", - "category": "security", - "rule_title": "template unescaped with safe", - "description": "Detected a segment of a Flask template where autoescaping is explicitly disabled with '| safe' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability.\n{\"include\": [\"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-autoescape-off", - "display_name": "TemplateAutoescapeOff", - "severity": "warning", - "category": "security", - "rule_title": "template autoescape off", - "description": "Detected a segment of a Flask template where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\n{\"include\": [\"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "debug-enabled", - "display_name": "DebugEnabled", - "severity": "warning", - "category": "security", - "rule_title": "debug enabled", - "description": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_app_run_with_bad_host", - "display_name": "Avoid_app_run_with_bad_host", - "severity": "warning", - "category": "security", - "rule_title": "avoid_app_run_with_bad_host", - "description": "Running flask app with host 0.0.0.0 could expose the server publicly.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "secure-set-cookie", - "display_name": "SecureSetCookie", - "severity": "warning", - "category": "security", - "rule_title": "secure set cookie", - "description": "Found a Flask cookie without secure, httponly, or samesite correctly set. Flask cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the 'secure=True', 'httponly=True', samesite='Lax' arguments or set these to be true in the Flask configuration.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "flask-wtf-csrf-disabled", - "display_name": "FlaskWtfCsrfDisabled", - "severity": "warning", - "category": "security", - "rule_title": "flask wtf csrf disabled", - "description": "Setting 'WTF_CSRF_ENABLED' to 'False' explicitly disables CSRF protection.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_using_app_run_directly", - "display_name": "Avoid_using_app_run_directly", - "severity": "warning", - "category": "security", - "rule_title": "avoid_using_app_run_directly", - "description": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_hardcoded_config_TESTING", - "display_name": "Avoid_hardcoded_config_testing", - "severity": "warning", - "category": "security", - "rule_title": "avoid_hardcoded_config_TESTING", - "description": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_hardcoded_config_SECRET_KEY", - "display_name": "Avoid_hardcoded_config_secret_key", - "severity": "error", - "category": "security", - "rule_title": "avoid_hardcoded_config_SECRET_KEY", - "description": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_hardcoded_config_ENV", - "display_name": "Avoid_hardcoded_config_env", - "severity": "warning", - "category": "security", - "rule_title": "avoid_hardcoded_config_ENV", - "description": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid_hardcoded_config_DEBUG", - "display_name": "Avoid_hardcoded_config_debug", - "severity": "warning", - "category": "security", - "rule_title": "avoid_hardcoded_config_DEBUG", - "description": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "directly-returned-format-string", - "display_name": "DirectlyReturnedFormatString", - "severity": "warning", - "category": "security", - "rule_title": "directly returned format string", - "description": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with 'render_template()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "render-template-string", - "display_name": "RenderTemplateString", - "severity": "warning", - "category": "security", - "rule_title": "render template string", - "description": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "make-response-with-unknown-content", - "display_name": "MakeResponseWithUnknownContent", - "severity": "warning", - "category": "security", - "rule_title": "make response with unknown content", - "description": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "nan-injection", - "display_name": "NanInjection", - "severity": "error", - "category": "security", - "rule_title": "nan injection", - "description": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "path-traversal-open", - "display_name": "PathTraversalOpen", - "severity": "error", - "category": "security", - "rule_title": "path traversal open", - "description": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "ssrf-requests", - "display_name": "SsrfRequests", - "severity": "error", - "category": "security", - "rule_title": "ssrf requests", - "description": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "eval-injection", - "display_name": "EvalInjection", - "severity": "error", - "category": "security", - "rule_title": "eval injection", - "description": "Detected user data flowing into eval. This is code injection and should be avoided.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "exec-injection", - "display_name": "ExecInjection", - "severity": "error", - "category": "security", - "rule_title": "exec injection", - "description": "Detected user data flowing into exec. This is code injection and should be avoided.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "os-system-injection", - "display_name": "OsSystemInjection", - "severity": "error", - "category": "security", - "rule_title": "os system injection", - "description": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "flask-deprecated-apis", - "display_name": "FlaskDeprecatedApis", - "severity": "warning", - "category": "correctness", - "rule_title": "flask deprecated apis", - "description": "deprecated Flask API\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "flask-duplicate-handler-name", - "display_name": "FlaskDuplicateHandlerName", - "severity": "warning", - "category": "correctness", - "rule_title": "flask duplicate handler name", - "description": "Looks like `$R` is a flask function handler that registered to two different routes. This will cause a runtime error\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-accessing-request-in-wrong-handler", - "display_name": "AvoidAccessingRequestInWrongHandler", - "severity": "warning", - "category": "correctness", - "rule_title": "avoid accessing request in wrong handler", - "description": "Accessing request object inside a route handle for HTTP GET command will throw due to missing request body.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-jsonify", - "display_name": "UseJsonify", - "severity": "error", - "category": "correctness", - "rule_title": "use jsonify", - "description": "flask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "flask-class-method-get-side-effects", - "display_name": "FlaskClassMethodGetSideEffects", - "severity": "warning", - "category": "correctness", - "rule_title": "flask class method get side effects", - "description": "Flask class method GET with side effects\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "flask-cache-query-string", - "display_name": "FlaskCacheQueryString", - "severity": "warning", - "category": "correctness", - "rule_title": "flask cache query string", - "description": "Flask-caching doesn't cache query strings by default. You have to use `query_string=True`. Also you shouldn't cache verbs that can mutate state.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insufficient-rsa-key-size", - "display_name": "InsufficientRsaKeySize", - "severity": "warning", - "category": "security", - "rule_title": "insufficient rsa key size", - "description": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python", - "ruby" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-algorithm-rc2", - "display_name": "InsecureCipherAlgorithmRc2", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher algorithm rc2", - "description": "Detected RC2 cipher algorithm which is considered insecure. The algorithm has known vulnerabilities and is difficult to use securely. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-algorithm-rc4", - "display_name": "InsecureCipherAlgorithmRc4", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher algorithm rc4", - "description": "Detected RC4 cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-algorithm-blowfish", - "display_name": "InsecureCipherAlgorithmBlowfish", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher algorithm blowfish", - "description": "Detected Blowfish cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-algorithm-des", - "display_name": "InsecureCipherAlgorithmDes", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher algorithm des", - "description": "Detected DES cipher algorithm which is considered insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-algorithm-xor", - "display_name": "InsecureCipherAlgorithmXor", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher algorithm xor", - "description": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insufficient-dsa-key-size", - "display_name": "InsufficientDsaKeySize", - "severity": "warning", - "category": "security", - "rule_title": "insufficient dsa key size", - "description": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-hash-algorithm-md2", - "display_name": "InsecureHashAlgorithmMd2", - "severity": "warning", - "category": "security", - "rule_title": "insecure hash algorithm md2", - "description": "Detected MD2 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-hash-algorithm-md4", - "display_name": "InsecureHashAlgorithmMd4", - "severity": "warning", - "category": "security", - "rule_title": "insecure hash algorithm md4", - "description": "Detected MD4 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-hash-algorithm-md5", - "display_name": "InsecureHashAlgorithmMd5", - "severity": "warning", - "category": "security", - "rule_title": "insecure hash algorithm md5", - "description": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-hash-algorithm-sha1", - "display_name": "InsecureHashAlgorithmSha1", - "severity": "warning", - "category": "security", - "rule_title": "insecure hash algorithm sha1", - "description": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "bokeh-deprecated-apis", - "display_name": "BokehDeprecatedApis", - "severity": "warning", - "category": "correctness", - "rule_title": "bokeh deprecated apis", - "description": "These APIs are deprecated in Bokeh see https://docs.bokeh.org/en/latest/docs/releases.html#api-deprecations\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "docker-arbitrary-container-run", - "display_name": "DockerArbitraryContainerRun", - "severity": "warning", - "category": "security", - "rule_title": "docker arbitrary container run", - "description": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "require-encryption", - "display_name": "RequireEncryption", - "severity": "warning", - "category": "security", - "rule_title": "require encryption", - "description": "Initializing the a security context for Dask (`distributed`) without \"require_encription\" keyword argument may silently fail to provide security. See https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "incorrect-autoescape-disabled", - "display_name": "IncorrectAutoescapeDisabled", - "severity": "warning", - "category": "security", - "rule_title": "incorrect autoescape disabled", - "description": "Detected a Jinja2 environment with autoescaping disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "missing-autoescape-disabled", - "display_name": "MissingAutoescapeDisabled", - "severity": "warning", - "category": "security", - "rule_title": "missing autoescape disabled", - "description": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insufficient-ec-key-size", - "display_name": "InsufficientEcKeySize", - "severity": "warning", - "category": "security", - "rule_title": "insufficient ec key size", - "description": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-mode-ecb", - "display_name": "InsecureCipherModeEcb", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher mode ecb", - "description": "Detected ECB cipher mode which is considered insecure. The algorithm can potentially leak information about the plaintext. Use CBC mode instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cipher-algorithm-idea", - "display_name": "InsecureCipherAlgorithmIdea", - "severity": "warning", - "category": "security", - "rule_title": "insecure cipher algorithm idea", - "description": "Detected IDEA cipher algorithm which is considered insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-csrf-check-disabled-globally", - "display_name": "PyramidCsrfCheckDisabledGlobally", - "severity": "error", - "category": "security", - "rule_title": "pyramid csrf check disabled globally", - "description": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-direct-use-of-response", - "display_name": "PyramidDirectUseOfResponse", - "severity": "error", - "category": "security", - "rule_title": "pyramid direct use of response", - "description": "Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-sqlalchemy-sql-injection", - "display_name": "PyramidSqlalchemySqlInjection", - "severity": "error", - "category": "security", - "rule_title": "pyramid sqlalchemy sql injection", - "description": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-authtkt-cookie-secure-unsafe-default", - "display_name": "PyramidAuthtktCookieSecureUnsafeDefault", - "severity": "warning", - "category": "security", - "rule_title": "pyramid authtkt cookie secure unsafe default", - "description": "Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-authtkt-cookie-secure-unsafe-value", - "display_name": "PyramidAuthtktCookieSecureUnsafeValue", - "severity": "warning", - "category": "security", - "rule_title": "pyramid authtkt cookie secure unsafe value", - "description": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-set-cookie-samesite-unsafe-value", - "display_name": "PyramidSetCookieSamesiteUnsafeValue", - "severity": "warning", - "category": "security", - "rule_title": "pyramid set cookie samesite unsafe value", - "description": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-set-cookie-httponly-unsafe-value", - "display_name": "PyramidSetCookieHttponlyUnsafeValue", - "severity": "warning", - "category": "security", - "rule_title": "pyramid set cookie httponly unsafe value", - "description": "Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=rue in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-csrf-check-disabled", - "display_name": "PyramidCsrfCheckDisabled", - "severity": "warning", - "category": "security", - "rule_title": "pyramid csrf check disabled", - "description": "CSRF is disabled for this view. This is a security risk.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-authtkt-cookie-httponly-unsafe-value", - "display_name": "PyramidAuthtktCookieHttponlyUnsafeValue", - "severity": "warning", - "category": "security", - "rule_title": "pyramid authtkt cookie httponly unsafe value", - "description": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-authtkt-cookie-httponly-unsafe-default", - "display_name": "PyramidAuthtktCookieHttponlyUnsafeDefault", - "severity": "warning", - "category": "security", - "rule_title": "pyramid authtkt cookie httponly unsafe default", - "description": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-set-cookie-secure-unsafe-default", - "display_name": "PyramidSetCookieSecureUnsafeDefault", - "severity": "warning", - "category": "security", - "rule_title": "pyramid set cookie secure unsafe default", - "description": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-csrf-origin-check-disabled", - "display_name": "PyramidCsrfOriginCheckDisabled", - "severity": "warning", - "category": "security", - "rule_title": "pyramid csrf origin check disabled", - "description": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-csrf-origin-check-disabled-globally", - "display_name": "PyramidCsrfOriginCheckDisabledGlobally", - "severity": "error", - "category": "security", - "rule_title": "pyramid csrf origin check disabled globally", - "description": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-authtkt-cookie-samesite", - "display_name": "PyramidAuthtktCookieSamesite", - "severity": "warning", - "category": "security", - "rule_title": "pyramid authtkt cookie samesite", - "description": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-set-cookie-secure-unsafe-value", - "display_name": "PyramidSetCookieSecureUnsafeValue", - "severity": "warning", - "category": "security", - "rule_title": "pyramid set cookie secure unsafe value", - "description": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-set-cookie-httponly-unsafe-default", - "display_name": "PyramidSetCookieHttponlyUnsafeDefault", - "severity": "warning", - "category": "security", - "rule_title": "pyramid set cookie httponly unsafe default", - "description": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pyramid-set-cookie-samesite-unsafe-default", - "display_name": "PyramidSetCookieSamesiteUnsafeDefault", - "severity": "warning", - "category": "security", - "rule_title": "pyramid set cookie samesite unsafe default", - "description": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-click-secho", - "display_name": "UseClickSecho", - "severity": "error", - "category": "correctness", - "rule_title": "use click secho", - "description": "Use `click.secho($X)` instead. It combines click.echo() and click.style().\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pymssql-sqli", - "display_name": "PymssqlSqli", - "severity": "warning", - "category": "security", - "rule_title": "pymssql sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dynamodb-filter-injection", - "display_name": "DynamodbFilterInjection", - "severity": "error", - "category": "security", - "rule_title": "dynamodb filter injection", - "description": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "tainted-pickle-deserialization", - "display_name": "TaintedPickleDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "tainted pickle deserialization", - "description": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-system-call", - "display_name": "DangerousSystemCall", - "severity": "error", - "category": "security", - "rule_title": "dangerous system call", - "description": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-shell", - "display_name": "DangerousAsyncioShell", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio shell", - "description": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pymysql-sqli", - "display_name": "PymysqlSqli", - "severity": "warning", - "category": "security", - "rule_title": "pymysql sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-subprocess-use", - "display_name": "DangerousSubprocessUse", - "severity": "error", - "category": "security", - "rule_title": "dangerous subprocess use", - "description": "Detected subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "tainted-code-exec", - "display_name": "TaintedCodeExec", - "severity": "warning", - "category": "security", - "rule_title": "tainted code exec", - "description": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-spawn-process", - "display_name": "DangerousSpawnProcess", - "severity": "error", - "category": "security", - "rule_title": "dangerous spawn process", - "description": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sqlalchemy-sqli", - "display_name": "SqlalchemySqli", - "severity": "warning", - "category": "security", - "rule_title": "sqlalchemy sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-create-exec", - "display_name": "DangerousAsyncioCreateExec", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio create exec", - "description": "Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-exec", - "display_name": "DangerousAsyncioExec", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio exec", - "description": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "psycopg-sqli", - "display_name": "PsycopgSqli", - "severity": "warning", - "category": "security", - "rule_title": "psycopg sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sqlalchemy-execute-raw-query", - "display_name": "SqlalchemyExecuteRawQuery", - "severity": "error", - "category": "security", - "rule_title": "sqlalchemy execute raw query", - "description": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sqlalchemy-sql-injection", - "display_name": "SqlalchemySqlInjection", - "severity": "warning", - "category": "security", - "rule_title": "sqlalchemy sql injection", - "description": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-sqlalchemy-text", - "display_name": "AvoidSqlalchemyText", - "severity": "error", - "category": "security", - "rule_title": "avoid sqlalchemy text", - "description": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as or_, and_, etc.) to construct SQL.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "delete-where-no-execute", - "display_name": "DeleteWhereNoExecute", - "severity": "error", - "category": "correctness", - "rule_title": "delete where no execute", - "description": ".delete().where(...) results in a no-op in SQLAlchemy unless the command is executed, use .filter(...).delete() instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "bad-operator-in-filter", - "display_name": "BadOperatorInFilter", - "severity": "warning", - "category": "correctness", - "rule_title": "bad operator in filter", - "description": "Only comparison operators should be used inside SQLAlchemy filter expressions. Use `==` instead of `is`, `!=` instead of `is not`, `sqlalchemy.and_` instead of `and`, `sqlalchemy.or_` instead of `or`, `sqlalchemy.not_` instead of `not`, and `sqlalchemy.in_` instead of `in_`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "len-all-count", - "display_name": "LenAllCount", - "severity": "warning", - "category": "performance", - "rule_title": "len all count", - "description": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "batch-import", - "display_name": "BatchImport", - "severity": "warning", - "category": "performance", - "rule_title": "batch import", - "description": "Rather than adding one element at a time, consider batch loading to improve performance.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "mongo-client-bad-auth", - "display_name": "MongoClientBadAuth", - "severity": "warning", - "category": "security", - "rule_title": "mongo client bad auth", - "description": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "disabled-cert-validation", - "display_name": "DisabledCertValidation", - "severity": "error", - "category": "security", - "rule_title": "disabled cert validation", - "description": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "no-auth-over-http", - "display_name": "NoAuthOverHttp", - "severity": "error", - "category": "security", - "rule_title": "no auth over http", - "description": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python.requests.best-practice.use-response-json-shortcut", - "display_name": "Python.requests.bestPractice.useResponseJsonShortcut", - "severity": "warning", - "category": "correctness", - "rule_title": "python.requests.best practice.use response json shortcut", - "description": "The requests library has a convenient shortcut for reading JSON responses, which lets you stop worrying about deserializing the response yourself.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-raise-for-status", - "display_name": "UseRaiseForStatus", - "severity": "warning", - "category": "correctness", - "rule_title": "use raise for status", - "description": "There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python.requests.best-practice.use-request-json-shortcut", - "display_name": "Python.requests.bestPractice.useRequestJsonShortcut", - "severity": "warning", - "category": "correctness", - "rule_title": "python.requests.best practice.use request json shortcut", - "description": "The requests library has a convenient shortcut for sending JSON requests, which lets you stop worrying about serializing the body yourself. To use it, replace `body=json.dumps(...)` with `json=...`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-timeout", - "display_name": "UseTimeout", - "severity": "warning", - "category": "correctness", - "rule_title": "use timeout", - "description": "Detected a 'requests' call without a timeout set. By default, 'requests' calls wait until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "formatted-string-bashoperator", - "display_name": "FormattedStringBashoperator", - "severity": "error", - "category": "security", - "rule_title": "formatted string bashoperator", - "description": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-importlib", - "display_name": "Python37CompatibilityImportlib", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility importlib", - "description": "source_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-importlib2", - "display_name": "Python37CompatibilityImportlib2", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility importlib2", - "description": "Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-httpconn", - "display_name": "Python37CompatibilityHttpconn", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility httpconn", - "description": "Found usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-httpsconn", - "display_name": "Python37CompatibilityHttpsconn", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility httpsconn", - "description": "Found usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-importlib3", - "display_name": "Python37CompatibilityImportlib3", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility importlib3", - "description": "Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-textiowrapper", - "display_name": "Python37CompatibilityTextiowrapper", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility textiowrapper", - "description": "Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-ipv6network1", - "display_name": "Python37CompatibilityIpv6network1", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility ipv6network1", - "description": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-ipv6network2", - "display_name": "Python37CompatibilityIpv6network2", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility ipv6network2", - "description": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-ipv4network1", - "display_name": "Python37CompatibilityIpv4network1", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility ipv4network1", - "description": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-ipv4network2", - "display_name": "Python37CompatibilityIpv4network2", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility ipv4network2", - "description": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-locale1", - "display_name": "Python37CompatibilityLocale1", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility locale1", - "description": "Found usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-math1", - "display_name": "Python37CompatibilityMath1", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility math1", - "description": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-multiprocess1", - "display_name": "Python37CompatibilityMultiprocess1", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility multiprocess1", - "description": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-multiprocess2", - "display_name": "Python37CompatibilityMultiprocess2", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility multiprocess2", - "description": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-os1", - "display_name": "Python37CompatibilityOs1", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility os1", - "description": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-os2-ok2", - "display_name": "Python37CompatibilityOs2Ok2", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility os2 ok2", - "description": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python37-compatibility-pdb", - "display_name": "Python37CompatibilityPdb", - "severity": "error", - "category": "usability", - "rule_title": "python37 compatibility pdb", - "description": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python36-compatibility-ssl", - "display_name": "Python36CompatibilitySsl", - "severity": "error", - "category": "usability", - "rule_title": "python36 compatibility ssl", - "description": "this function is only available on Python 3.6+\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python36-compatibility-Popen1", - "display_name": "Python36CompatibilityPopen1", - "severity": "error", - "category": "usability", - "rule_title": "python36 compatibility Popen1", - "description": "the `errors` argument to Popen is only available on Python 3.6+\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python36-compatibility-Popen2", - "display_name": "Python36CompatibilityPopen2", - "severity": "error", - "category": "usability", - "rule_title": "python36 compatibility Popen2", - "description": "the `encoding` argument to Popen is only available on Python 3.6+\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unverified-ssl-context", - "display_name": "UnverifiedSslContext", - "severity": "error", - "category": "security", - "rule_title": "unverified ssl context", - "description": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unquoted-csv-writer", - "display_name": "UnquotedCsvWriter", - "severity": "error", - "category": "security", - "rule_title": "unquoted csv writer", - "description": "Found an unquoted CSV writer. This is susceptible to injection. Use 'quoting=csv.QUOTE_ALL'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-os-exec", - "display_name": "DangerousOsExec", - "severity": "error", - "category": "security", - "rule_title": "dangerous os exec", - "description": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-globals-use", - "display_name": "DangerousGlobalsUse", - "severity": "warning", - "category": "security", - "rule_title": "dangerous globals use", - "description": "Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-subinterpreters-run-string", - "display_name": "DangerousSubinterpretersRunString", - "severity": "warning", - "category": "security", - "rule_title": "dangerous subinterpreters run string", - "description": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-defused-xmlrpc", - "display_name": "UseDefusedXmlrpc", - "severity": "error", - "category": "security", - "rule_title": "use defused xmlrpc", - "description": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-defused-xml", - "display_name": "UseDefusedXml", - "severity": "error", - "category": "security", - "rule_title": "use defused xml", - "description": "The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-testcapi-run-in-subinterp", - "display_name": "DangerousTestcapiRunInSubinterp", - "severity": "warning", - "category": "security", - "rule_title": "dangerous testcapi run in subinterp", - "description": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-interactive-code-run", - "display_name": "DangerousInteractiveCodeRun", - "severity": "warning", - "category": "security", - "rule_title": "dangerous interactive code run", - "description": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-hash-function", - "display_name": "InsecureHashFunction", - "severity": "warning", - "category": "security", - "rule_title": "insecure hash function", - "description": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "telnetlib", - "display_name": "Telnetlib", - "severity": "warning", - "category": "security", - "rule_title": "telnetlib", - "description": "Telnet does not encrypt communications. Use SSH instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "exec-detected", - "display_name": "ExecDetected", - "severity": "warning", - "category": "security", - "rule_title": "exec detected", - "description": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-shell-tainted-env-args", - "display_name": "DangerousAsyncioShellTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio shell tainted env args", - "description": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-shell-audit", - "display_name": "DangerousAsyncioShellAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio shell audit", - "description": "Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "non-literal-import", - "display_name": "NonLiteralImport", - "severity": "warning", - "category": "security", - "rule_title": "non literal import", - "description": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-create-exec-audit", - "display_name": "DangerousAsyncioCreateExecAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio create exec audit", - "description": "Detected 'create_subprocess_exec' function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "subprocess-shell-true", - "display_name": "SubprocessShellTrue", - "severity": "error", - "category": "security", - "rule_title": "subprocess shell true", - "description": "Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-subinterpreters-run-string-tainted-env-args", - "display_name": "DangerousSubinterpretersRunStringTaintedEnvArgs", - "severity": "warning", - "category": "security", - "rule_title": "dangerous subinterpreters run string tainted env args", - "description": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "marshal-usage", - "display_name": "MarshalUsage", - "severity": "warning", - "category": "security", - "rule_title": "marshal usage", - "description": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-os-exec-tainted-env-args", - "display_name": "DangerousOsExecTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous os exec tainted env args", - "description": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-subinterpreters-run-string-audit", - "display_name": "DangerousSubinterpretersRunStringAudit", - "severity": "warning", - "category": "security", - "rule_title": "dangerous subinterpreters run string audit", - "description": "Found dynamic content in `run_string`. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "hardcoded-password-default-argument", - "display_name": "HardcodedPasswordDefaultArgument", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded password default argument", - "description": "Hardcoded password is used as a default argument to '$FUNC'. This could be dangerous if a real password is not supplied.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-interactive-code-run-tainted-env-args", - "display_name": "DangerousInteractiveCodeRunTaintedEnvArgs", - "severity": "warning", - "category": "security", - "rule_title": "dangerous interactive code run tainted env args", - "description": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-subprocess-use-audit", - "display_name": "DangerousSubprocessUseAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous subprocess use audit", - "description": "Detected subprocess function '$FUNC' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python-reverse-shell", - "display_name": "PythonReverseShell", - "severity": "warning", - "category": "security", - "rule_title": "python reverse shell", - "description": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-annotations-usage", - "display_name": "DangerousAnnotationsUsage", - "severity": "info", - "category": "security", - "rule_title": "dangerous annotations usage", - "description": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-testcapi-run-in-subinterp-tainted-env-args", - "display_name": "DangerousTestcapiRunInSubinterpTaintedEnvArgs", - "severity": "warning", - "category": "security", - "rule_title": "dangerous testcapi run in subinterp tainted env args", - "description": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "formatted-sql-query", - "display_name": "FormattedSqlQuery", - "severity": "warning", - "category": "security", - "rule_title": "formatted sql query", - "description": "Detected possible formatted SQL query. Use parameterized queries instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "weak-ssl-version", - "display_name": "WeakSslVersion", - "severity": "warning", - "category": "security", - "rule_title": "weak ssl version", - "description": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "mako-templates-detected", - "display_name": "MakoTemplatesDetected", - "severity": "info", - "category": "security", - "rule_title": "mako templates detected", - "description": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "httpsconnection-detected", - "display_name": "HttpsconnectionDetected", - "severity": "warning", - "category": "security", - "rule_title": "httpsconnection detected", - "description": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-subprocess-use-tainted-env-args", - "display_name": "DangerousSubprocessUseTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous subprocess use tainted env args", - "description": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-file-permissions", - "display_name": "InsecureFilePermissions", - "severity": "warning", - "category": "security", - "rule_title": "insecure file permissions", - "description": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-testcapi-run-in-subinterp-audit", - "display_name": "DangerousTestcapiRunInSubinterpAudit", - "severity": "warning", - "category": "security", - "rule_title": "dangerous testcapi run in subinterp audit", - "description": "Found dynamic content in `run_in_subinterp`. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "ssl-wrap-socket-is-deprecated", - "display_name": "SslWrapSocketIsDeprecated", - "severity": "warning", - "category": "security", - "rule_title": "ssl wrap socket is deprecated", - "description": "'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-exec-tainted-env-args", - "display_name": "DangerousAsyncioExecTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio exec tainted env args", - "description": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "paramiko-implicit-trust-host-key", - "display_name": "ParamikoImplicitTrustHostKey", - "severity": "warning", - "category": "security", - "rule_title": "paramiko implicit trust host key", - "description": "Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-os-exec-audit", - "display_name": "DangerousOsExecAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous os exec audit", - "description": "Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-system-call-audit", - "display_name": "DangerousSystemCallAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous system call audit", - "description": "Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-spawn-process-tainted-env-args", - "display_name": "DangerousSpawnProcessTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous spawn process tainted env args", - "description": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-spawn-process-audit", - "display_name": "DangerousSpawnProcessAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous spawn process audit", - "description": "Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "multiprocessing-recv", - "display_name": "MultiprocessingRecv", - "severity": "warning", - "category": "security", - "rule_title": "multiprocessing recv", - "description": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "ftplib", - "display_name": "Ftplib", - "severity": "warning", - "category": "security", - "rule_title": "ftplib", - "description": "FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-system-call-tainted-env-args", - "display_name": "DangerousSystemCallTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous system call tainted env args", - "description": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-interactive-code-run-audit", - "display_name": "DangerousInteractiveCodeRunAudit", - "severity": "warning", - "category": "security", - "rule_title": "dangerous interactive code run audit", - "description": "Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dynamic-urllib-use-detected", - "display_name": "DynamicUrllibUseDetected", - "severity": "warning", - "category": "security", - "rule_title": "dynamic urllib use detected", - "description": "Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "system-wildcard-detected", - "display_name": "SystemWildcardDetected", - "severity": "warning", - "category": "security", - "rule_title": "system wildcard detected", - "description": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-create-exec-tainted-env-args", - "display_name": "DangerousAsyncioCreateExecTaintedEnvArgs", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio create exec tainted env args", - "description": "Detected 'create_subprocess_exec' function with user controlled data. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dangerous-asyncio-exec-audit", - "display_name": "DangerousAsyncioExecAudit", - "severity": "error", - "category": "security", - "rule_title": "dangerous asyncio exec audit", - "description": "Detected subprocess function '$LOOP.subprocess_exec' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "paramiko-exec-command", - "display_name": "ParamikoExecCommand", - "severity": "error", - "category": "security", - "rule_title": "paramiko exec command", - "description": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "asyncpg-sqli", - "display_name": "AsyncpgSqli", - "severity": "warning", - "category": "security", - "rule_title": "asyncpg sqli", - "description": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pg8000-sqli", - "display_name": "Pg8000Sqli", - "severity": "warning", - "category": "security", - "rule_title": "pg8000 sqli", - "description": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.run(\"SELECT :value FROM table\", value=myvalue)'. You can also create prepared statements with 'conn.prepare': 'conn.prepare(\"SELECT (:v) FROM table\")'\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "aiopg-sqli", - "display_name": "AiopgSqli", - "severity": "warning", - "category": "security", - "rule_title": "aiopg sqli", - "description": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: 'cur.execute(\"SELECT %s FROM table\", (user_value,))'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "http-not-https-connection", - "display_name": "HttpNotHttpsConnection", - "severity": "error", - "category": "security", - "rule_title": "http not https connection", - "description": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python-logger-credential-disclosure", - "display_name": "PythonLoggerCredentialDisclosure", - "severity": "warning", - "category": "security", - "rule_title": "python logger credential disclosure", - "description": "Logger call may be exposing a secret credential in $FORMAT_STRING\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "listen-eval", - "display_name": "ListenEval", - "severity": "warning", - "category": "security", - "rule_title": "listen eval", - "description": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "no-set-ciphers", - "display_name": "NoSetCiphers", - "severity": "warning", - "category": "security", - "rule_title": "no set ciphers", - "description": "The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-ftp-tls", - "display_name": "UseFtpTls", - "severity": "warning", - "category": "security", - "rule_title": "use ftp tls", - "description": "The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS' class instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-request-object-ftp", - "display_name": "InsecureRequestObjectFtp", - "severity": "warning", - "category": "security", - "rule_title": "insecure request object ftp", - "description": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-openerdirector-open-ftp", - "display_name": "InsecureOpenerdirectorOpenFtp", - "severity": "warning", - "category": "security", - "rule_title": "insecure openerdirector open ftp", - "description": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-request-object", - "display_name": "InsecureRequestObject", - "severity": "warning", - "category": "security", - "rule_title": "insecure request object", - "description": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlopen-ftp", - "display_name": "InsecureUrlopenFtp", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlopen ftp", - "description": "Detected 'urllib.urlopen()' using 'ftp://'. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlopener-retrieve", - "display_name": "InsecureUrlopenerRetrieve", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlopener retrieve", - "description": "Detected an unsecured transmission channel. 'URLopener.retrieve(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-openerdirector-open", - "display_name": "InsecureOpenerdirectorOpen", - "severity": "warning", - "category": "security", - "rule_title": "insecure openerdirector open", - "description": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlopener-open", - "display_name": "InsecureUrlopenerOpen", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlopener open", - "description": "Detected an unsecured transmission channel. 'URLopener.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlopener-open-ftp", - "display_name": "InsecureUrlopenerOpenFtp", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlopener open ftp", - "description": "Detected an insecure transmission channel. 'URLopener.open(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlretrieve", - "display_name": "InsecureUrlretrieve", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlretrieve", - "description": "Detected 'urllib.urlretrieve()' using 'http://'. This request will not be encrypted. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlopener-retrieve-ftp", - "display_name": "InsecureUrlopenerRetrieveFtp", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlopener retrieve ftp", - "description": "Detected an insecure transmission channel. 'URLopener.retrieve(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlretrieve-ftp", - "display_name": "InsecureUrlretrieveFtp", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlretrieve ftp", - "description": "Detected 'urllib.urlretrieve()' using 'ftp://'. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urlopen", - "display_name": "InsecureUrlopen", - "severity": "warning", - "category": "security", - "rule_title": "insecure urlopen", - "description": "Detected 'urllib.urlopen()' using 'http://'. This request will not be encrypted. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "request-session-http-in-with-context", - "display_name": "RequestSessionHttpInWithContext", - "severity": "error", - "category": "security", - "rule_title": "request session http in with context", - "description": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "request-with-http", - "display_name": "RequestWithHttp", - "severity": "error", - "category": "security", - "rule_title": "request with http", - "description": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "request-session-with-http", - "display_name": "RequestSessionWithHttp", - "severity": "error", - "category": "security", - "rule_title": "request session with http", - "description": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-jsonpickle", - "display_name": "AvoidJsonpickle", - "severity": "warning", - "category": "security", - "rule_title": "avoid jsonpickle", - "description": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-unsafe-ruamel", - "display_name": "AvoidUnsafeRuamel", - "severity": "error", - "category": "security", - "rule_title": "avoid unsafe ruamel", - "description": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-pyyaml-load", - "display_name": "AvoidPyyamlLoad", - "severity": "error", - "category": "security", - "rule_title": "avoid pyyaml load", - "description": "Avoid using `load()`. `PyYAML.load` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `safe_load()` instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-pickle", - "display_name": "AvoidPickle", - "severity": "warning", - "category": "security", - "rule_title": "avoid pickle", - "description": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-cPickle", - "display_name": "AvoidCpickle", - "severity": "warning", - "category": "security", - "rule_title": "avoid cPickle", - "description": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-dill", - "display_name": "AvoidDill", - "severity": "warning", - "category": "security", - "rule_title": "avoid dill", - "description": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-shelve", - "display_name": "AvoidShelve", - "severity": "warning", - "category": "security", - "rule_title": "avoid shelve", - "description": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "code-after-unconditional-return", - "display_name": "CodeAfterUnconditionalReturn", - "severity": "warning", - "category": "correctness", - "rule_title": "code after unconditional return", - "description": "code after return statement will not be executed\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "return-not-in-function", - "display_name": "ReturnNotInFunction", - "severity": "warning", - "category": "correctness", - "rule_title": "return not in function", - "description": "`return` only makes sense inside a function\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "useless-literal", - "display_name": "UselessLiteral", - "severity": "warning", - "category": "correctness", - "rule_title": "useless literal", - "description": "key `$X` is uselessly assigned twice\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "useless-assignment-keyed", - "display_name": "UselessAssignmentKeyed", - "severity": "warning", - "category": "correctness", - "rule_title": "useless assignment keyed", - "description": "key `$Y` in `$X` is assigned twice; the first assignment is useless\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "useless-inner-function", - "display_name": "UselessInnerFunction", - "severity": "error", - "category": "correctness", - "rule_title": "useless inner function", - "description": "function `$FF` is defined inside a function but never used\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "useless-literal-set", - "display_name": "UselessLiteralSet", - "severity": "error", - "category": "correctness", - "rule_title": "useless literal set", - "description": "`$X` is uselessly assigned twice inside the creation of the set\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "is-function-without-parentheses", - "display_name": "IsFunctionWithoutParentheses", - "severity": "warning", - "category": "correctness", - "rule_title": "is function without parentheses", - "description": "Is \"$FUNC\" a function or an attribute? If it is a function, you may have meant $X.$FUNC() because $X.$FUNC is always true.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "improper-list-concat", - "display_name": "ImproperListConcat", - "severity": "info", - "category": "correctness", - "rule_title": "improper list concat", - "description": "This expression will evaluate to be ONLY value the of the `else` clause if the condition `$EXPRESSION` is false. If you meant to do list concatenation, put parentheses around the entire concatenation expression, like this: `['a', 'b', 'c'] + (['d'] if x else ['e'])`. If this is the intended behavior, the expression may be confusing to others, and you may wish to add parentheses for readability.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "writing-to-file-in-read-mode", - "display_name": "WritingToFileInReadMode", - "severity": "error", - "category": "correctness", - "rule_title": "writing to file in read mode", - "description": "The file object '$FD' was opened in read mode, but is being written to. This will cause a runtime error.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-sys-exit", - "display_name": "UseSysExit", - "severity": "warning", - "category": "correctness", - "rule_title": "use sys exit", - "description": "Use `sys.exit` over the python shell `exit` built-in. `exit` is a helper for the interactive shell and may not be available on all Python implementations. https://stackoverflow.com/questions/6501121/difference-between-exit-and-sys-exit-in-python\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sync-sleep-in-async-code", - "display_name": "SyncSleepInAsyncCode", - "severity": "warning", - "category": "correctness", - "rule_title": "sync sleep in async code", - "description": "Synchronous time.sleep in async code will block the event loop and not allow other tasks to execute. Use asyncio.sleep() instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pytest-assert_match-after-path-patch", - "display_name": "PytestAssert_matchAfterPathPatch", - "severity": "warning", - "category": "correctness", - "rule_title": "pytest assert_match after path patch", - "description": "snapshot.assert_match makes use of pathlib to create files. Patching $METHOD may result in unexpected snapshot behavior\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pdb-remove", - "display_name": "PdbRemove", - "severity": "warning", - "category": "correctness", - "rule_title": "pdb remove", - "description": "pdb is an interactive debugging tool and you may have forgotten to remove it before committing your code\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "list-modify-while-iterate", - "display_name": "ListModifyWhileIterate", - "severity": "error", - "category": "correctness", - "rule_title": "list modify while iterate", - "description": "It appears that `$LIST` is a list that is being modified while in a for loop. This will likely cause a runtime error or an infinite loop.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "uncaught-executor-exceptions", - "display_name": "UncaughtExecutorExceptions", - "severity": "warning", - "category": "correctness", - "rule_title": "uncaught executor exceptions", - "description": "Values returned by thread pool map must be read in order to raise exceptions. Consider using `for _ in $EXECUTOR.map(...): pass`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "return-in-init", - "display_name": "ReturnInInit", - "severity": "error", - "category": "correctness", - "rule_title": "return in init", - "description": "`return` should never appear inside a class __init__ function. This will cause a runtime error.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "yield-in-init", - "display_name": "YieldInInit", - "severity": "error", - "category": "correctness", - "rule_title": "yield in init", - "description": "`yield` should never appear inside a class __init__ function. This will cause a runtime error.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "cannot-cache-generators", - "display_name": "CannotCacheGenerators", - "severity": "warning", - "category": "correctness", - "rule_title": "cannot cache generators", - "description": "Generators can only be consumed once, so in most cases, caching them will cause an error when the already-consumed generator is retrieved from cache.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "file-object-redefined-before-close", - "display_name": "FileObjectRedefinedBeforeClose", - "severity": "warning", - "category": "correctness", - "rule_title": "file object redefined before close", - "description": "Detected a file object that is redefined and never closed. This could leak file descriptors and unnecessarily consume system resources.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "baseclass-attribute-override", - "display_name": "BaseclassAttributeOverride", - "severity": "warning", - "category": "correctness", - "rule_title": "baseclass attribute override", - "description": "Class $C inherits from both `$A` and `$B` which both have a method named `$F`; one of these methods will be overwritten.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unchecked-subprocess-call", - "display_name": "UncheckedSubprocessCall", - "severity": "warning", - "category": "correctness", - "rule_title": "unchecked subprocess call", - "description": "This is not checking the return value of this subprocess call; if it fails no exception will be raised. Consider subprocess.check_call() instead\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "dict-del-while-iterate", - "display_name": "DictDelWhileIterate", - "severity": "warning", - "category": "correctness", - "rule_title": "dict del while iterate", - "description": "It appears that `$DICT[$KEY]` is a dict with items being deleted while in a for loop. This is usually a bad idea and will likely lead to a RuntimeError: dictionary changed size during iteration\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "no-strings-as-booleans", - "display_name": "NoStringsAsBooleans", - "severity": "error", - "category": "correctness", - "rule_title": "no strings as booleans", - "description": "Using strings as booleans in Python has unexpected results. `\"one\" and \"two\"` will return \"two\". `\"one\" or \"two\"` will return \"one\". In Python, strings are truthy, and strings with a non-zero length evaluate to True.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "useless-eqeq", - "display_name": "UselessEqeq", - "severity": "info", - "category": "correctness", - "rule_title": "useless eqeq", - "description": "This expression is always True: `$X == $X` or `$X != $X`. If testing for floating point NaN, use `math.isnan($X)`, or `cmath.isnan($X)` if the number is complex.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "raise-not-base-exception", - "display_name": "RaiseNotBaseException", - "severity": "error", - "category": "correctness", - "rule_title": "raise not base exception", - "description": "In Python3, a runtime `TypeError` will be thrown if you attempt to raise an object or class which does not inherit from `BaseException`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "tempfile-insecure", - "display_name": "TempfileInsecure", - "severity": "error", - "category": "correctness", - "rule_title": "tempfile insecure", - "description": "Use tempfile.NamedTemporaryFile instead. From the official Python documentation: THIS FUNCTION IS UNSAFE AND SHOULD NOT BE USED. The file name may refer to a file that did not exist at some point, but by the time you get around to creating it, someone else may have beaten you to the punch.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "tempfile-without-flush", - "display_name": "TempfileWithoutFlush", - "severity": "error", - "category": "correctness", - "rule_title": "tempfile without flush", - "description": "Using '$F.name' without '.flush()' or '.close()' may cause an error because the file may not exist when '$F.name' is used. Use '.flush()' or close the file before using '$F.name'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "is-not-is-not", - "display_name": "IsNotIsNot", - "severity": "error", - "category": "correctness", - "rule_title": "is not is not", - "description": "In Python 'X is not ...' is different from 'X is (not ...)'. In the latter the 'not' converts the '...' directly to boolean.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "default-mutable-dict", - "display_name": "DefaultMutableDict", - "severity": "error", - "category": "correctness", - "rule_title": "default mutable dict", - "description": "Function $F mutates default dict $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new dictionary at that time. For example: `if $D is None: $D = {}`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "string-concat-in-list", - "display_name": "StringConcatInList", - "severity": "warning", - "category": "correctness", - "rule_title": "string concat in list", - "description": "Detected strings that are implicitly concatenated inside a list. Python will implicitly concatenate strings when not explicitly delimited. Was this supposed to be individual elements of the list?\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "identical-is-comparison", - "display_name": "IdenticalIsComparison", - "severity": "error", - "category": "correctness", - "rule_title": "identical is comparison", - "description": "Found identical comparison using is. Ensure this is what you intended.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "string-is-comparison", - "display_name": "StringIsComparison", - "severity": "error", - "category": "correctness", - "rule_title": "string is comparison", - "description": "Found string comparison using 'is' operator. The 'is' operator is for reference equality, not value equality, and therefore should not be used to compare strings. For more information, see https://github.com/satwikkansal/wtfpython#-how-not-to-use-is-operator\"\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "default-mutable-list", - "display_name": "DefaultMutableList", - "severity": "error", - "category": "correctness", - "rule_title": "default mutable list", - "description": "Function $F mutates default list $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new list at that time. For example: `if $D is None: $D = []`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pass-body-fn", - "display_name": "PassBodyFn", - "severity": "warning", - "category": "correctness", - "rule_title": "pass body fn", - "description": "`pass` is the body of function $X. Consider removing this or raise NotImplementedError() if this is a TODO\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "pass-body-range", - "display_name": "PassBodyRange", - "severity": "warning", - "category": "correctness", - "rule_title": "pass body range", - "description": "`pass` is the body of for $X in $Y. Consider removing this or raise NotImplementedError() if this is a TODO\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "python-debugger-found", - "display_name": "PythonDebuggerFound", - "severity": "warning", - "category": "correctness", - "rule_title": "python debugger found", - "description": "Importing the python debugger; did you mean to leave this in?\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "missing-hash-with-eq", - "display_name": "MissingHashWithEq", - "severity": "warning", - "category": "correctness", - "rule_title": "missing hash with eq", - "description": "Class `$A` has defined `__eq__` which means it should also have defined `__hash__`; \n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "arbitrary-sleep", - "display_name": "ArbitrarySleep", - "severity": "error", - "category": "correctness", - "rule_title": "arbitrary sleep", - "description": "time.sleep() call; did you mean to leave this in?\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "manual-defaultdict-dict-create", - "display_name": "ManualDefaultdictDictCreate", - "severity": "warning", - "category": "correctness", - "rule_title": "manual defaultdict dict create", - "description": "manually creating a defaultdict - use collections.defaultdict(dict)\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "manual-defaultdict-set-create", - "display_name": "ManualDefaultdictSetCreate", - "severity": "warning", - "category": "correctness", - "rule_title": "manual defaultdict set create", - "description": "manually creating a defaultdict - use collections.defaultdict(set)\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "manual-defaultdict-list-create", - "display_name": "ManualDefaultdictListCreate", - "severity": "warning", - "category": "correctness", - "rule_title": "manual defaultdict list create", - "description": "manually creating a defaultdict - use collections.defaultdict(list)\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "manual-counter-create", - "display_name": "ManualCounterCreate", - "severity": "warning", - "category": "correctness", - "rule_title": "manual counter create", - "description": "manually creating a counter - use collections.Counter\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "hardcoded-tmp-path", - "display_name": "HardcodedTmpPath", - "severity": "warning", - "category": "correctness", - "rule_title": "hardcoded tmp path", - "description": "Detected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "open-never-closed", - "display_name": "OpenNeverClosed", - "severity": "error", - "category": "correctness", - "rule_title": "open never closed", - "description": "file object opened without corresponding close\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "logging-error-without-handling", - "display_name": "LoggingErrorWithoutHandling", - "severity": "warning", - "category": "correctness", - "rule_title": "logging error without handling", - "description": "Errors should only be logged when handled. The code logs the error and propogates the exception, consider reducing the level to warning or info.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unspecified-open-encoding", - "display_name": "UnspecifiedOpenEncoding", - "severity": "warning", - "category": "correctness", - "rule_title": "unspecified open encoding", - "description": "Missing 'encoding' parameter. 'open()' uses device locale encodings by default, corrupting files with special characters. Specify the encoding to ensure cross-platform support when opening files in text mode (e.g. encoding=\"utf-8\").\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "string-concat", - "display_name": "StringConcat", - "severity": "error", - "category": "security", - "rule_title": "string concat", - "description": "Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "attr-mutable-initializer", - "display_name": "AttrMutableInitializer", - "severity": "warning", - "category": "correctness", - "rule_title": "attr mutable initializer", - "description": "Unsafe usage of mutable initializer with attr.s decorator. Multiple instances of this class will re-use the same data structure, which is likely not the desired behavior. Consider instead: replace assignment to mutable initializer (ex. dict() or {}) with attr.ib(factory=type) where type is dict, set, or list\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "suppressed-exception-handling-finally-break", - "display_name": "SuppressedExceptionHandlingFinallyBreak", - "severity": "warning", - "category": "correctness", - "rule_title": "suppressed exception handling finally break", - "description": "Having a `break`, `continue`, or `return` in a `finally` block will cause strange behaviors, like exceptions not being caught.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "socket-shutdown-close", - "display_name": "SocketShutdownClose", - "severity": "warning", - "category": "correctness", - "rule_title": "socket shutdown close", - "description": "Socket is not closed if shutdown fails. When socket.shutdown fails on an OSError, socket.close is not called and the code fails to clean up the socket and allow garbage collection to release the memory used for it. The OSError on shutdown can occur when the remote side of the connection closes the connection first.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-compat-2_0-signals-weak", - "display_name": "DjangoCompat2_0SignalsWeak", - "severity": "warning", - "category": "usability", - "rule_title": "django compat 2_0 signals weak", - "description": "The weak argument to django.dispatch.signals.Signal.disconnect() is removed in Django 2.0.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-compat-2_0-check-aggregate-support", - "display_name": "DjangoCompat2_0CheckAggregateSupport", - "severity": "warning", - "category": "usability", - "rule_title": "django compat 2_0 check aggregate support", - "description": "django.db.backends.base.BaseDatabaseOperations.check_aggregate_support() is removed in Django 2.0.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-compat-2_0-extra-forms", - "display_name": "DjangoCompat2_0ExtraForms", - "severity": "warning", - "category": "usability", - "rule_title": "django compat 2_0 extra forms", - "description": "The django.forms.extras package is removed in Django 2.0.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-compat-2_0-assignment-tag", - "display_name": "DjangoCompat2_0AssignmentTag", - "severity": "warning", - "category": "usability", - "rule_title": "django compat 2_0 assignment tag", - "description": "The assignment_tag helper is removed in Django 2.0.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-compat-2_0-assert-redirects-helper", - "display_name": "DjangoCompat2_0AssertRedirectsHelper", - "severity": "warning", - "category": "usability", - "rule_title": "django compat 2_0 assert redirects helper", - "description": "The host argument to assertRedirects is removed in Django 2.0.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "locals-as-template-context", - "display_name": "LocalsAsTemplateContext", - "severity": "error", - "category": "security", - "rule_title": "locals as template context", - "description": "Using 'locals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'locals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "globals-as-template-context", - "display_name": "GlobalsAsTemplateContext", - "severity": "error", - "category": "security", - "rule_title": "globals as template context", - "description": "Using 'globals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'globals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "password-empty-string", - "display_name": "PasswordEmptyString", - "severity": "error", - "category": "security", - "rule_title": "password empty string", - "description": "'$VAR' is the empty string and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the password to None or call 'set_unusable_password()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-none-for-password-default", - "display_name": "UseNoneForPasswordDefault", - "severity": "error", - "category": "security", - "rule_title": "use none for password default", - "description": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-mark-safe", - "display_name": "AvoidMarkSafe", - "severity": "warning", - "category": "security", - "rule_title": "avoid mark safe", - "description": "'mark_safe()' is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "custom-expression-as-sql", - "display_name": "CustomExpressionAsSql", - "severity": "warning", - "category": "security", - "rule_title": "custom expression as sql", - "description": "Detected a Custom Expression ''$EXPRESSION'' calling ''as_sql(...).'' This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "extends-custom-expression", - "display_name": "ExtendsCustomExpression", - "severity": "warning", - "category": "security", - "rule_title": "extends custom expression", - "description": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-secure-set-cookie", - "display_name": "DjangoSecureSetCookie", - "severity": "warning", - "category": "security", - "rule_title": "django secure set cookie", - "description": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "no-csrf-exempt", - "display_name": "NoCsrfExempt", - "severity": "warning", - "category": "security", - "rule_title": "no csrf exempt", - "description": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-query-set-extra", - "display_name": "AvoidQuerySetExtra", - "severity": "warning", - "category": "security", - "rule_title": "avoid query set extra", - "description": "QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-raw-sql", - "display_name": "AvoidRawSql", - "severity": "error", - "category": "security", - "rule_title": "avoid raw sql", - "description": "Detected the use of 'RawSQL' or 'raw' indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name='Bob')`\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "unvalidated-password", - "display_name": "UnvalidatedPassword", - "severity": "warning", - "category": "security", - "rule_title": "unvalidated password", - "description": "The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "avoid-insecure-deserialization", - "display_name": "AvoidInsecureDeserialization", - "severity": "error", - "category": "security", - "rule_title": "avoid insecure deserialization", - "description": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "direct-use-of-httpresponse", - "display_name": "DirectUseOfHttpresponse", - "severity": "warning", - "category": "security", - "rule_title": "direct use of httpresponse", - "description": "Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-translate-as-no-escape", - "display_name": "TemplateTranslateAsNoEscape", - "severity": "info", - "category": "security", - "rule_title": "template translate as no escape", - "description": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "formathtml-fstring-parameter", - "display_name": "FormathtmlFstringParameter", - "severity": "warning", - "category": "security", - "rule_title": "formathtml fstring parameter", - "description": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-var-unescaped-with-safeseq", - "display_name": "TemplateVarUnescapedWithSafeseq", - "severity": "warning", - "category": "security", - "rule_title": "template var unescaped with safeseq", - "description": "Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\n{\"include\": [\"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "html-safe", - "display_name": "HtmlSafe", - "severity": "warning", - "category": "security", - "rule_title": "html safe", - "description": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "class-extends-safestring", - "display_name": "ClassExtendsSafestring", - "severity": "warning", - "category": "security", - "rule_title": "class extends safestring", - "description": "Found a class extending 'SafeString', 'SafeText' or 'SafeData'. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use 'mark_safe' instead and ensure no user data can reach it.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "context-autoescape-off", - "display_name": "ContextAutoescapeOff", - "severity": "warning", - "category": "security", - "rule_title": "context autoescape off", - "description": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "html-magic-method", - "display_name": "HtmlMagicMethod", - "severity": "warning", - "category": "security", - "rule_title": "html magic method", - "description": "The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-translate-no-escape", - "display_name": "TemplateTranslateNoEscape", - "severity": "info", - "category": "security", - "rule_title": "template translate no escape", - "description": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "template-blocktranslate-no-escape", - "display_name": "TemplateBlocktranslateNoEscape", - "severity": "info", - "category": "security", - "rule_title": "template blocktranslate no escape", - "description": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "global-autoescape-off", - "display_name": "GlobalAutoescapeOff", - "severity": "warning", - "category": "security", - "rule_title": "global autoescape off", - "description": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "filter-with-is-safe", - "display_name": "FilterWithIsSafe", - "severity": "warning", - "category": "security", - "rule_title": "filter with is safe", - "description": "Detected Django filters flagged with 'is_safe'. 'is_safe' tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, 'is_safe' could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing 'is_safe' and explicitly marking safe content with 'mark_safe()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "missing-throttle-config", - "display_name": "MissingThrottleConfig", - "severity": "warning", - "category": "security", - "rule_title": "missing throttle config", - "description": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "debug-template-tag", - "display_name": "DebugTemplateTag", - "severity": "warning", - "category": "security", - "rule_title": "debug template tag", - "description": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "missing-ratelimit", - "display_name": "MissingRatelimit", - "severity": "warning", - "category": "security", - "rule_title": "missing ratelimit", - "description": "Function '$FUNC' is missing a rate-limiting decorator. High volume traffic to this function could starve application resources. Consider adding rate limiting from a library such as 'django-ratelimit'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "reflected-data-httpresponse", - "display_name": "ReflectedDataHttpresponse", - "severity": "warning", - "category": "security", - "rule_title": "reflected data httpresponse", - "description": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "mass-assignment", - "display_name": "MassAssignment", - "severity": "warning", - "category": "security", - "rule_title": "mass assignment", - "description": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using '**request.$W', assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "reflected-data-httpresponsebadrequest", - "display_name": "ReflectedDataHttpresponsebadrequest", - "severity": "warning", - "category": "security", - "rule_title": "reflected data httpresponsebadrequest", - "description": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "request-data-fileresponse", - "display_name": "RequestDataFileresponse", - "severity": "warning", - "category": "security", - "rule_title": "request data fileresponse", - "description": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "request-data-write", - "display_name": "RequestDataWrite", - "severity": "warning", - "category": "security", - "rule_title": "request data write", - "description": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "ssrf-injection-requests", - "display_name": "SsrfInjectionRequests", - "severity": "error", - "category": "security", - "rule_title": "ssrf injection requests", - "description": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "ssrf-injection-urllib", - "display_name": "SsrfInjectionUrllib", - "severity": "error", - "category": "security", - "rule_title": "ssrf injection urllib", - "description": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "globals-misuse-code-execution", - "display_name": "GlobalsMisuseCodeExecution", - "severity": "warning", - "category": "security", - "rule_title": "globals misuse code execution", - "description": "Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "user-eval", - "display_name": "UserEval", - "severity": "warning", - "category": "security", - "rule_title": "user eval", - "description": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "user-exec-format-string", - "display_name": "UserExecFormatString", - "severity": "warning", - "category": "security", - "rule_title": "user exec format string", - "description": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "user-exec", - "display_name": "UserExec", - "severity": "warning", - "category": "security", - "rule_title": "user exec", - "description": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "user-eval-format-string", - "display_name": "UserEvalFormatString", - "severity": "warning", - "category": "security", - "rule_title": "user eval format string", - "description": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "path-traversal-file-name", - "display_name": "PathTraversalFileName", - "severity": "warning", - "category": "security", - "rule_title": "path traversal file name", - "description": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "path-traversal-join", - "display_name": "PathTraversalJoin", - "severity": "warning", - "category": "security", - "rule_title": "path traversal join", - "description": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "command-injection-os-system", - "display_name": "CommandInjectionOsSystem", - "severity": "error", - "category": "security", - "rule_title": "command injection os system", - "description": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "xss-send-mail-html-message", - "display_name": "XssSendMailHtmlMessage", - "severity": "warning", - "category": "security", - "rule_title": "xss send mail html message", - "description": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "xss-html-email-body", - "display_name": "XssHtmlEmailBody", - "severity": "warning", - "category": "security", - "rule_title": "xss html email body", - "description": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sql-injection-using-extra-where", - "display_name": "SqlInjectionUsingExtraWhere", - "severity": "warning", - "category": "security", - "rule_title": "sql injection using extra where", - "description": "User-controlled data from a request is passed to 'extra()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sql-injection-using-rawsql", - "display_name": "SqlInjectionUsingRawsql", - "severity": "warning", - "category": "security", - "rule_title": "sql injection using rawsql", - "description": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sql-injection-db-cursor-execute", - "display_name": "SqlInjectionDbCursorExecute", - "severity": "warning", - "category": "security", - "rule_title": "sql injection db cursor execute", - "description": "User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "sql-injection-using-raw", - "display_name": "SqlInjectionUsingRaw", - "severity": "warning", - "category": "security", - "rule_title": "sql injection using raw", - "description": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "duplicate-path-assignment", - "display_name": "DuplicatePathAssignment", - "severity": "warning", - "category": "correctness", - "rule_title": "duplicate path assignment", - "description": "path for `$URL` is uselessly assigned twice\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "conflicting-path-assignment", - "display_name": "ConflictingPathAssignment", - "severity": "error", - "category": "correctness", - "rule_title": "conflicting path assignment", - "description": "The path for `$URL` is assigned once to view `$VIEW` and once to `$DIFFERENT_VIEW`, which can lead to unexpected behavior. Verify what the intended target view is and delete the other route.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "duplicate-path-assignment-different-names", - "display_name": "DuplicatePathAssignmentDifferentNames", - "severity": "warning", - "category": "correctness", - "rule_title": "duplicate path assignment different names", - "description": "path for `$URL` is assigned twice with different names\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "duplicate-name-assignment", - "display_name": "DuplicateNameAssignment", - "severity": "error", - "category": "correctness", - "rule_title": "duplicate name assignment", - "description": "The name `$NAME` is used for both `$URL` and `$OTHER_URL`, which can lead to unexpected behavior when using URL reversing. Pick a unique name for each path.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "no-null-string-field", - "display_name": "NoNullStringField", - "severity": "warning", - "category": "correctness", - "rule_title": "no null string field", - "description": "Avoid using null on string-based fields such as CharField and TextField. If a string-based field has null=True, that means it has two possible values for \"no data\": NULL, and the empty string. In most cases, it's redundant to have two possible values for \"no data;\" the Django convention is to use the empty string, not NULL.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "string-field-must-set-null-true", - "display_name": "StringFieldMustSetNullTrue", - "severity": "error", - "category": "correctness", - "rule_title": "string field must set null true", - "description": "If a text field declares unique=True and blank=True, null=True must also be set to avoid unique constraint violations when saving multiple objects with blank values.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-decimalfield-for-money", - "display_name": "UseDecimalfieldForMoney", - "severity": "error", - "category": "correctness", - "rule_title": "use decimalfield for money", - "description": "Found a FloatField used for variable $F. Use DecimalField for currency fields to avoid float-rounding errors.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "django-db-model-save-super", - "display_name": "DjangoDbModelSaveSuper", - "severity": "warning", - "category": "correctness", - "rule_title": "django db model save super", - "description": "Detected a django model `$MODEL` is not calling super().save() inside of the save method.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "nontext-field-must-set-null-true", - "display_name": "NontextFieldMustSetNullTrue", - "severity": "error", - "category": "correctness", - "rule_title": "nontext field must set null true", - "description": "null=True should be set if blank=True is set on non-text fields.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "access-foreign-keys", - "display_name": "AccessForeignKeys", - "severity": "warning", - "category": "performance", - "rule_title": "access foreign keys", - "description": "You should use ITEM.user_id rather than ITEM.user.id to prevent running an extra query.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-earliest-or-latest", - "display_name": "UseEarliestOrLatest", - "severity": "error", - "category": "performance", - "rule_title": "use earliest or latest", - "description": "Looks like you are only accessing first element of an ordered QuerySet. Use `latest()` or `earliest()` instead. See https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.latest\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-count-method", - "display_name": "UseCountMethod", - "severity": "error", - "category": "performance", - "rule_title": "use count method", - "description": "Looks like you need to determine the number of records. Django provides the count() method which is more efficient than .len(). See https://docs.djangoproject.com/en/3.0/ref/models/querysets/\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-onetoonefield", - "display_name": "UseOnetoonefield", - "severity": "warning", - "category": "correctness", - "rule_title": "use onetoonefield", - "description": "Use 'django.db.models.OneToOneField' instead of 'ForeignKey' with unique=True. 'OneToOneField' is used to create one-to-one relationships.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-django-environ", - "display_name": "UseDjangoEnviron", - "severity": "error", - "category": "correctness", - "rule_title": "use django environ", - "description": "You are using environment variables inside django app. Use `django-environ` as it a better alternative for deployment.\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "use-json-response", - "display_name": "UseJsonResponse", - "severity": "error", - "category": "correctness", - "rule_title": "use json response", - "description": "Use JsonResponse instead\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "hardcoded-token", - "display_name": "HardcodedToken", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded token", - "description": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "ruby-jwt-exposed-credentials", - "display_name": "RubyJwtExposedCredentials", - "severity": "error", - "category": "security", - "rule_title": "ruby jwt exposed credentials", - "description": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ruby-jwt-none-alg", - "display_name": "RubyJwtNoneAlg", - "severity": "error", - "category": "security", - "rule_title": "ruby jwt none alg", - "description": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ruby-jwt-hardcoded-secret", - "display_name": "RubyJwtHardcodedSecret", - "severity": "error", - "category": "security", - "rule_title": "ruby jwt hardcoded secret", - "description": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ruby-jwt-decode-without-verify", - "display_name": "RubyJwtDecodeWithoutVerify", - "severity": "warning", - "category": "security", - "rule_title": "ruby jwt decode without verify", - "description": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ruby-jwt-exposed-data", - "display_name": "RubyJwtExposedData", - "severity": "warning", - "category": "security", - "rule_title": "ruby jwt exposed data", - "description": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "mysql2-sqli", - "display_name": "Mysql2Sqli", - "severity": "warning", - "category": "security", - "rule_title": "mysql2 sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "activerecord-sqli", - "display_name": "ActiverecordSqli", - "severity": "warning", - "category": "security", - "rule_title": "activerecord sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "tainted-deserialization", - "display_name": "TaintedDeserialization", - "severity": "warning", - "category": "security", - "rule_title": "tainted deserialization", - "description": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "sequel-sqli", - "display_name": "SequelSqli", - "severity": "warning", - "category": "security", - "rule_title": "sequel sqli", - "description": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "nested-attributes", - "display_name": "NestedAttributes", - "severity": "warning", - "category": "security", - "rule_title": "nested attributes", - "description": "Checks for models that enable nested attributes. A vulnerability in nested_attributes_for results in an attacker begin able to change parameters apart from the ones intended by the developer. Affected Rails versions: 3.0.0, 2.3.9. Fix: don't use accepts_nested_attributes_for or upgrade Rails version.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ssl-mode-no-verify", - "display_name": "SslModeNoVerify", - "severity": "warning", - "category": "security", - "rule_title": "ssl mode no verify", - "description": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dangerous-open3-pipeline", - "display_name": "DangerousOpen3Pipeline", - "severity": "warning", - "category": "security", - "rule_title": "dangerous open3 pipeline", - "description": "Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "model-attributes-attr-accessible", - "display_name": "ModelAttributesAttrAccessible", - "severity": "error", - "category": "security", - "rule_title": "model attributes attr accessible", - "description": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dangerous-exec", - "display_name": "DangerousExec", - "severity": "warning", - "category": "security", - "rule_title": "dangerous exec", - "description": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dangerous-open", - "display_name": "DangerousOpen", - "severity": "warning", - "category": "security", - "rule_title": "dangerous open", - "description": "Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "hardcoded-http-auth-in-controller", - "display_name": "HardcodedHttpAuthInController", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded http auth in controller", - "description": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "cookie-serialization", - "display_name": "CookieSerialization", - "severity": "error", - "category": "security", - "rule_title": "cookie serialization", - "description": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "timing-attack", - "display_name": "TimingAttack", - "severity": "error", - "category": "security", - "rule_title": "timing attack", - "description": "Checks for unsafe use of method http_basic_authenticate_with, which is vulnerable to timing attacks as it does not use constant-time checking when comparing passwords. Affected Rails versions include: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1. Avoid this function if possible.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ruby-eval", - "display_name": "RubyEval", - "severity": "warning", - "category": "security", - "rule_title": "ruby eval", - "description": "Use of eval detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "create-with", - "display_name": "CreateWith", - "severity": "error", - "category": "security", - "rule_title": "create with", - "description": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "filter-skipping", - "display_name": "FilterSkipping", - "severity": "error", - "category": "security", - "rule_title": "filter skipping", - "description": "Checks for use of action in Ruby routes. This can cause Rails to render an arbitrary view if an attacker creates an URL accurately. Affects 3.0 applications. Can avoid the vulnerability by providing additional constraints.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "bad-deserialization-yaml", - "display_name": "BadDeserializationYaml", - "severity": "error", - "category": "security", - "rule_title": "bad deserialization yaml", - "description": "Unsafe deserialization from YAML. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with YAML can potentially be dangerous. Use JSON in a secure fashion instead. However, loading YAML from a static file is not dangerous and should not be flagged.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "missing-csrf-protection", - "display_name": "MissingCsrfProtection", - "severity": "error", - "category": "security", - "rule_title": "missing csrf protection", - "description": "Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dangerous-syscall", - "display_name": "DangerousSyscall", - "severity": "warning", - "category": "security", - "rule_title": "dangerous syscall", - "description": "'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "bad-deserialization", - "display_name": "BadDeserialization", - "severity": "error", - "category": "security", - "rule_title": "bad deserialization", - "description": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "model-attr-accessible", - "display_name": "ModelAttrAccessible", - "severity": "error", - "category": "security", - "rule_title": "model attr accessible", - "description": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "json-encoding", - "display_name": "JsonEncoding", - "severity": "warning", - "category": "security", - "rule_title": "json encoding", - "description": "When a 'Hash' with user-supplied input is encoded in JSON, Rails doesn't provide adequate escaping. If the JSON string is supplied into HTML, the page will be vulnerable to XXS attacks. The affected Rails versions are 3.0.x, 3.1.x, 3.2.x, 4.1.x, 4.2.x. To fix, either upgrade or add an initializer.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "force-ssl-false", - "display_name": "ForceSslFalse", - "severity": "warning", - "category": "security", - "rule_title": "force ssl false", - "description": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "mass-assignment-protection-disabled", - "display_name": "MassAssignmentProtectionDisabled", - "severity": "warning", - "category": "security", - "rule_title": "mass assignment protection disabled", - "description": "Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "weak-hashes-md5", - "display_name": "WeakHashesMd5", - "severity": "warning", - "category": "security", - "rule_title": "weak hashes md5", - "description": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions,leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "weak-hashes-sha1", - "display_name": "WeakHashesSha1", - "severity": "warning", - "category": "security", - "rule_title": "weak hashes sha1", - "description": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "model-attributes-attr-protected", - "display_name": "ModelAttributesAttrProtected", - "severity": "warning", - "category": "security", - "rule_title": "model attributes attr protected", - "description": "Checks for models that use attr_protected, as use of allowlist instead of denylist is better practice. Attr_protected was also found to be vulnerable to bypass. The fixed versions of Rails are: 3.2.12, 3.1.11, 2.3.17. To prevent bypass, use attr_accessible instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "bad-send", - "display_name": "BadSend", - "severity": "error", - "category": "security", - "rule_title": "bad send", - "description": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "file-disclosure", - "display_name": "FileDisclosure", - "severity": "error", - "category": "security", - "rule_title": "file disclosure", - "description": "Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dangerous-subshell", - "display_name": "DangerousSubshell", - "severity": "warning", - "category": "security", - "rule_title": "dangerous subshell", - "description": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "jruby-xml", - "display_name": "JrubyXml", - "severity": "warning", - "category": "security", - "rule_title": "jruby xml", - "description": "The JDOM backend for XmlMini has a vulnerability that lets an attacker perform a denial of service attack or gain access to files on the application server. This affects versions 3.0, but is fixed in versions 3.1.12 and 3.2.13. To fix, either upgrade or use XmlMini.backend=\"REXML\".\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "yaml-parsing", - "display_name": "YamlParsing", - "severity": "warning", - "category": "security", - "rule_title": "yaml parsing", - "description": "Detected enabled YAML parsing. This is vulnerable to remote code execution in Rails 2.x versions up to 2.3.14. To fix, delete this line.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "json-entity-escape", - "display_name": "JsonEntityEscape", - "severity": "warning", - "category": "security", - "rule_title": "json entity escape", - "description": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "nested-attributes-bypass", - "display_name": "NestedAttributesBypass", - "severity": "warning", - "category": "security", - "rule_title": "nested attributes bypass", - "description": "Checks for nested attributes vulnerability (CVE-2015-7577). Setting allow_destroy: false in accepts_nested_attributes_for can lead to attackers setting attributes to invalid values and clearing all attributes. This affects versions 3.1.0 and newer, with fixed versions 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1. To fix, upgrade to a newer version or use the initializer specified in the google groups.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "mass-assignment-vuln", - "display_name": "MassAssignmentVuln", - "severity": "warning", - "category": "security", - "rule_title": "mass assignment vuln", - "description": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "divide-by-zero", - "display_name": "DivideByZero", - "severity": "warning", - "category": "security", - "rule_title": "divide by zero", - "description": "Detected a possible ZeroDivisionError.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "hardcoded-secret-rsa-passphrase", - "display_name": "HardcodedSecretRsaPassphrase", - "severity": "warning", - "category": "security", - "rule_title": "hardcoded secret rsa passphrase", - "description": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-sql", - "display_name": "CheckSql", - "severity": "error", - "category": "security", - "rule_title": "check sql", - "description": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-validation-regex", - "display_name": "CheckValidationRegex", - "severity": "error", - "category": "security", - "rule_title": "check validation regex", - "description": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-reverse-tabnabbing", - "display_name": "CheckReverseTabnabbing", - "severity": "warning", - "category": "security", - "rule_title": "check reverse tabnabbing", - "description": "Setting an anchor target of `_blank` without the `noopener` or `noreferrer` attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview.\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-dynamic-render-local-file-include", - "display_name": "CheckDynamicRenderLocalFileInclude", - "severity": "warning", - "category": "security", - "rule_title": "check dynamic render local file include", - "description": "Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-permit-attributes-medium", - "display_name": "CheckPermitAttributesMedium", - "severity": "warning", - "category": "security", - "rule_title": "check permit attributes medium", - "description": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-secrets", - "display_name": "CheckSecrets", - "severity": "warning", - "category": "security", - "rule_title": "check secrets", - "description": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-rails-secret-yaml", - "display_name": "CheckRailsSecretYaml", - "severity": "warning", - "category": "security", - "rule_title": "check rails secret yaml", - "description": "$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.\n{\"include\": [\"*secrets.*.yml\", \"*secrets.*.yaml\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-send-file", - "display_name": "CheckSendFile", - "severity": "error", - "category": "security", - "rule_title": "check send file", - "description": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-rails-session-secret-handling", - "display_name": "CheckRailsSessionSecretHandling", - "severity": "warning", - "category": "security", - "rule_title": "check rails session secret handling", - "description": "Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-http-verb-confusion", - "display_name": "CheckHttpVerbConfusion", - "severity": "error", - "category": "security", - "rule_title": "check http verb confusion", - "description": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-unscoped-find", - "display_name": "CheckUnscopedFind", - "severity": "warning", - "category": "security", - "rule_title": "check unscoped find", - "description": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-unsafe-reflection-methods", - "display_name": "CheckUnsafeReflectionMethods", - "severity": "error", - "category": "security", - "rule_title": "check unsafe reflection methods", - "description": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-cookie-store-session-security-attributes", - "display_name": "CheckCookieStoreSessionSecurityAttributes", - "severity": "warning", - "category": "security", - "rule_title": "check cookie store session security attributes", - "description": "Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-before-filter", - "display_name": "CheckBeforeFilter", - "severity": "error", - "category": "security", - "rule_title": "check before filter", - "description": "Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-redirect-to", - "display_name": "CheckRedirectTo", - "severity": "warning", - "category": "security", - "rule_title": "check redirect to", - "description": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-regex-dos", - "display_name": "CheckRegexDos", - "severity": "error", - "category": "security", - "rule_title": "check regex dos", - "description": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-unsafe-reflection", - "display_name": "CheckUnsafeReflection", - "severity": "error", - "category": "security", - "rule_title": "check unsafe reflection", - "description": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-render-local-file-include", - "display_name": "CheckRenderLocalFileInclude", - "severity": "warning", - "category": "security", - "rule_title": "check render local file include", - "description": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "check-permit-attributes-high", - "display_name": "CheckPermitAttributesHigh", - "severity": "error", - "category": "security", - "rule_title": "check permit attributes high", - "description": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-check-render-dos", - "display_name": "RailsCheckRenderDos", - "severity": "warning", - "category": "security", - "rule_title": "rails check render dos", - "description": "The render method in Rails versions 3.0.0 - 3.0.20, 3.1.0 - 3.1.12, and 3.2.0 - 3.2.16 are vulnerable to a denial of service attack (CVE-2014-0082), which could lead to service downtime. Upgrade to 3.2.17 or higher instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "mail-to", - "display_name": "MailTo", - "severity": "warning", - "category": "security", - "rule_title": "mail to", - "description": "Detected use of mail_to helper used with the `:encode => :javascript option`. The attacker could specify a malicious name or email value that could lead to a XSS attack. Instead, use `:encode => :hex` or patch to Rails 3.0.4 or 2.3.11.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-tainted-http-request", - "display_name": "AvoidTaintedHttpRequest", - "severity": "warning", - "category": "security", - "rule_title": "avoid tainted http request", - "description": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "mime-type-dos", - "display_name": "MimeTypeDos", - "severity": "warning", - "category": "security", - "rule_title": "mime type dos", - "description": "Detected usage of `Mime.const_set`. This could lead to a Denial of Service attack, as an attacker could send lots of different mime types to the server, causing the cache to grow large and use all available RAM. Make sure you are using 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 or higher. If this is not possible, use the workaround with \"Mime.const_set :LOOKUP, Hash.new { |h,k| Mime::Type.new(k) unless k.blank? }\"\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-session-manipulation", - "display_name": "AvoidSessionManipulation", - "severity": "warning", - "category": "security", - "rule_title": "avoid session manipulation", - "description": "This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-check-page-caching-gem", - "display_name": "RailsCheckPageCachingGem", - "severity": "warning", - "category": "security", - "rule_title": "rails check page caching gem", - "description": "All versions below 1.2.1 of the 'actionpack_page-caching' gem are vulnerable to arbitrary file write and remote code execution (CVE-2020-8159). Update to version 1.2.1 or greater or remove calls to 'caches_page'.\n{\"include\": [\"*Gemfile\", \"gems.rb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "number-to-currency", - "display_name": "NumberToCurrency", - "severity": "warning", - "category": "security", - "rule_title": "number to currency", - "description": "Detected user input flowing into number_to_currency helper. One of the parameters to the helper (unit) is not escaped correctly and could lead to XSS, which in turn could lead to sensitive data being exfiltrated. Instead, sanitize data before passing it into `number_to_currency` with the html_escape (h) function or upgrade to Rails 4.0.2 or 3.2.16.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "mail-to-erb", - "display_name": "MailToErb", - "severity": "warning", - "category": "security", - "rule_title": "mail to erb", - "description": "Detected use of mail_to helper used with the `:encode => :javascript option`. The attacker could specify a malicious name or email value that could lead to a XSS attack. Instead, use `:encode => :hex` or patch to Rails 3.0.4 or 2.3.11.\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-check-response-splitting", - "display_name": "RailsCheckResponseSplitting", - "severity": "warning", - "category": "security", - "rule_title": "rails check response splitting", - "description": "Rails versions 2.3.14 are vulnerable to response splitting, allowing header injection (CVE-2011-3186). Upgrade to 2.3.14 or greater.\n{\"include\": [\"*Gemfile\", \"gems.rb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-check-page-caching-cve", - "display_name": "RailsCheckPageCachingCve", - "severity": "warning", - "category": "security", - "rule_title": "rails check page caching cve", - "description": "All versions below 1.2.1 of the 'actionpack_page-caching' gem are vulnerable to arbitrary file write and remote code execution (CVE-2020-8159) when using caching methods. Update to version 1.2.1 or greater or remove calls to 'caches_page'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "quote-table-name", - "display_name": "QuoteTableName", - "severity": "warning", - "category": "security", - "rule_title": "quote table name", - "description": "Detected usage of `quote_table_name`, which has a vulnerability allowing malicious users to inject arbitrary SQL into a query. This is fixed in Rails versions 3.0.10, 2.3.13, and 3.1.0.rc5 and above. If updating your Rails version is not possible, sanitize input thoroughly before passing it to a `quote_table_name` call.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dynamic-finders", - "display_name": "DynamicFinders", - "severity": "warning", - "category": "security", - "rule_title": "dynamic finders", - "description": "Discovered an application that uses MySQL and find_by_* dynamic finders on potentially sensitive fields. There is a vulnerability in MySQL integer conversion, which could case \"0\" to match any string, and could therefore lead to sensitive data being exposed. Instead, upgrade to Rails version 4.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "detailed-exceptions", - "display_name": "DetailedExceptions", - "severity": "warning", - "category": "security", - "rule_title": "detailed exceptions", - "description": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "number-to-currency-erb", - "display_name": "NumberToCurrencyErb", - "severity": "warning", - "category": "security", - "rule_title": "number to currency erb", - "description": "Detected user input flowing into number_to_currency helper. One of the parameters to the helper (unit) is not escaped correctly and could lead to XSS, which in turn could lead to sensitive data being exfiltrated. Instead, sanitize data with the 'html_escape' or 'h' function before passing it into `number_to_currency` or upgrade to Rails 4.0.2 or 3.2.16.\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-tainted-ftp-call", - "display_name": "AvoidTaintedFtpCall", - "severity": "warning", - "category": "security", - "rule_title": "avoid tainted ftp call", - "description": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-tainted-shell-call", - "display_name": "AvoidTaintedShellCall", - "severity": "error", - "category": "security", - "rule_title": "avoid tainted shell call", - "description": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-tainted-file-access", - "display_name": "AvoidTaintedFileAccess", - "severity": "warning", - "category": "security", - "rule_title": "avoid tainted file access", - "description": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-skip-forgery-protection", - "display_name": "RailsSkipForgeryProtection", - "severity": "warning", - "category": "security", - "rule_title": "rails skip forgery protection", - "description": "This call turns off CSRF protection allowing CSRF attacks against the application\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-check-header-dos", - "display_name": "RailsCheckHeaderDos", - "severity": "warning", - "category": "security", - "rule_title": "rails check header dos", - "description": "Rails versions 3.0.0 - 3.2.15 and 4.0.0 and 4.0.1 are vulnerable to a DoS attack (CVE-2013-6414). This can cause your service to be taken down for substantial amount of time. Instead, upgrade to 4.0.2 or 3.2.16 or higher.\n{\"include\": [\"*Gemfile\", \"gems.rb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "ruby-pg-sqli", - "display_name": "RubyPgSqli", - "severity": "warning", - "category": "security", - "rule_title": "ruby pg sqli", - "description": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-render-dynamic-path", - "display_name": "AvoidRenderDynamicPath", - "severity": "warning", - "category": "security", - "rule_title": "avoid render dynamic path", - "description": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-render-text", - "display_name": "AvoidRenderText", - "severity": "warning", - "category": "security", - "rule_title": "avoid render text", - "description": "'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-render-inline", - "display_name": "AvoidRenderInline", - "severity": "warning", - "category": "security", - "rule_title": "avoid render inline", - "description": "'render inline: ...' renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-raw", - "display_name": "AvoidRaw", - "severity": "warning", - "category": "security", - "rule_title": "avoid raw", - "description": "'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-html-safe", - "display_name": "AvoidHtmlSafe", - "severity": "warning", - "category": "security", - "rule_title": "avoid html safe", - "description": "'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-default-routes", - "display_name": "AvoidDefaultRoutes", - "severity": "warning", - "category": "security", - "rule_title": "avoid default routes", - "description": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n{\"include\": [\"*routes.rb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "manual-template-creation", - "display_name": "ManualTemplateCreation", - "severity": "warning", - "category": "security", - "rule_title": "manual template creation", - "description": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-redirect", - "display_name": "AvoidRedirect", - "severity": "warning", - "category": "security", - "rule_title": "avoid redirect", - "description": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-link-to", - "display_name": "AvoidLinkTo", - "severity": "warning", - "category": "security", - "rule_title": "avoid link to", - "description": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "avoid-content-tag", - "display_name": "AvoidContentTag", - "severity": "warning", - "category": "security", - "rule_title": "avoid content tag", - "description": "'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "unquoted-attribute", - "display_name": "UnquotedAttribute", - "severity": "warning", - "category": "security", - "rule_title": "unquoted attribute", - "description": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"<%= expr %>\".\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "dangerous-link-to", - "display_name": "DangerousLinkTo", - "severity": "warning", - "category": "security", - "rule_title": "dangerous link to", - "description": "Detected a template variable used in 'link_to'. This will generate dynamic data in the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: 'link_to \"Here\", \"/\"+@link'. You may also consider setting the Content Security Policy (CSP) header.\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "alias-for-html-safe", - "display_name": "AliasForHtmlSafe", - "severity": "warning", - "category": "security", - "rule_title": "alias for html safe", - "description": "The syntax `<%== ... %>` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\n{\"include\": [\"*.erb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-check-json-parsing-rce", - "display_name": "RailsCheckJsonParsingRce", - "severity": "warning", - "category": "security", - "rule_title": "rails check json parsing rce", - "description": "Rails versions 0.0.0 - 2.3.14 and 3.0.0 - 3.0.19 are vulnerable to a Remote Code Execution attack via JSON parsing (CVE-2013-0333). Either use the 'yajl' gem or update to Rails 2.3.16 or greater if using Rails 0.0.0 - 2.3.14 and Rails 3.0.20 or greater if using Rails 3.0.0 - 3.0.19\n{\"include\": [\"*Gemfile\", \"gems.rb\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "rails-no-render-after-save", - "display_name": "RailsNoRenderAfterSave", - "severity": "warning", - "category": "correctness", - "rule_title": "rails no render after save", - "description": "Found a call to `render $T` after calling `$T.save`. Do not call `render` after calling `save` on an ActiveRecord object. Reloading the page will cause the state-changing operation to be repeated which may cause undesirable side effects. Use `redirect_to` instead.\n", - "rule_params": null, - "solution": null, - "languages": [ - "ruby" - ], - "labels": [] - }, - { - "real_name": "missing-noopener-or-noreferrer", - "display_name": "MissingNoopenerOrNoreferrer", - "severity": "warning", - "category": "security", - "rule_title": "missing noopener or noreferrer", - "description": "This anchor tag with 'target=\"_blank\"' is missing 'noopener' or 'noreferrer'. A page opened with 'target=\"_blank\"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noopener' or 'rel=noreferrer' on this tag.\n{\"include\": [\"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "html" - ], - "labels": [] - }, - { - "real_name": "missing-integrity", - "display_name": "MissingIntegrity", - "severity": "warning", - "category": "security", - "rule_title": "missing integrity", - "description": "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.\n{\"include\": [\"*.html\"]}", - "rule_params": null, - "solution": null, - "languages": [ - "html" - ], - "labels": [] - }, - { - "real_name": "robots-denied", - "display_name": "RobotsDenied", - "severity": "info", - "category": "correctness", - "rule_title": "robots denied", - "description": "This page denies crawlers from indexing the page. Remove the robots 'meta' tag.\n", - "rule_params": null, - "solution": null, - "languages": [ - "html" - ], - "labels": [] - }, - { - "real_name": "invalid-base-url", - "display_name": "InvalidBaseUrl", - "severity": "warning", - "category": "correctness", - "rule_title": "generic.hugo: invalid base url", - "description": "The 'baseURL' is invalid. This may cause links to not work if deployed. Include the scheme (e.g., http:// or https://).\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "localhost-base-url", - "display_name": "LocalhostBaseUrl", - "severity": "warning", - "category": "correctness", - "rule_title": "generic.hugo: localhost base url", - "description": "The 'baseURL' is set to localhost. This may cause links to not work if deployed.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "unquoted-attribute-var", - "display_name": "UnquotedAttributeVar", - "severity": "warning", - "category": "security", - "rule_title": "generic.html-templates: unquoted attribute var", - "description": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".\n{\"include\": [\"*.html\", \"*.mustache\", \"*.hbs\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "missing-zypper-no-confirm-switch", - "display_name": "MissingZypperNoConfirmSwitch", - "severity": "warning", - "category": "correctness", - "rule_title": "generic.dockerfile: missing zypper no confirm switch", - "description": "This 'zypper install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.\n{\"include\": [\"*dockerfile*\", \"*Dockerfile*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "alias-must-be-unique", - "display_name": "AliasMustBeUnique", - "severity": "error", - "category": "correctness", - "rule_title": "generic.dockerfile: alias must be unique", - "description": "Image aliases must have a unique name, and '$REF' is used twice. Use another name for '$REF'.\n{\"include\": [\"*dockerfile*\", \"*Dockerfile*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "multiple-cmd-instructions", - "display_name": "MultipleCmdInstructions", - "severity": "error", - "category": "correctness", - "rule_title": "generic.dockerfile: multiple cmd instructions", - "description": "Multiple CMD instructions were found. Only the last one will take effect.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "copy-from-own-alias", - "display_name": "CopyFromOwnAlias", - "severity": "error", - "category": "correctness", - "rule_title": "generic.dockerfile: copy from own alias", - "description": "COPY instructions cannot copy from its own alias. The '$REF' alias is used before switching to a new image. If you meant to switch to a new image, include a new 'FROM' statement. Otherwise, remove the '--from=$REF' from the COPY statement.\n{\"include\": [\"*dockerfile*\", \"*Dockerfile*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "use-absolute-workdir", - "display_name": "UseAbsoluteWorkdir", - "severity": "warning", - "category": "correctness", - "rule_title": "generic.dockerfile: use absolute workdir", - "description": "Detected a relative WORKDIR. Use absolute paths. This prevents issues based on assumptions about the WORKDIR of previous containers.\n{\"include\": [\"*dockerfile*\", \"*Dockerfile*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "missing-yum-clean-all", - "display_name": "MissingYumCleanAll", - "severity": "warning", - "category": "correctness", - "rule_title": "generic.dockerfile: missing yum clean all", - "description": "This yum command does not end with '&& yum clean all'. Running 'yum clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)\n{\"include\": [\"*dockerfile*\", \"*Dockerfile*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "use-frozen-lockfile-yarn", - "display_name": "UseFrozenLockfileYarn", - "severity": "info", - "category": "security", - "rule_title": "generic.ci: use frozen lockfile yarn", - "description": "To ensure reproducable and deterministic builds, when performing yarn install, make sure to use the lockfile. Without `--frozen-lockfile`, yarn will update the lockfile rather than using the pinned versions.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "use-frozen-lockfile-npm", - "display_name": "UseFrozenLockfileNpm", - "severity": "info", - "category": "security", - "rule_title": "generic.ci: use frozen lockfile npm", - "description": "To ensure reproducable and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "use-frozen-lockfile-pipenv", - "display_name": "UseFrozenLockfilePipenv", - "severity": "info", - "category": "security", - "rule_title": "generic.ci: use frozen lockfile pipenv", - "description": "To ensure reproducable and deterministic builds, use `pipenv install --ignore-pipfile` rather than `pipenv install` in scripts. This will use the lockfile rather than updating it.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "bash_reverse_shell", - "display_name": "Bash_reverse_shell", - "severity": "error", - "category": "security", - "rule_title": "generic.ci: bash_reverse_shell", - "description": "Semgrep found a bash reverse shell\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "changed-semgrepignore", - "display_name": "ChangedSemgrepignore", - "severity": "warning", - "category": "correctness", - "rule_title": "generic.ci: changed semgrepignore", - "description": "`$1` has been added to the .semgrepignore list of ignored paths. Someone from app-sec may want to audit these changes.\n{\"include\": [\".semgrepignore\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-sql-dump", - "display_name": "DetectedSqlDump", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected sql dump", - "description": "SQL dump detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-codeclimate", - "display_name": "DetectedCodeclimate", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected codeclimate", - "description": "CodeClimate detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-outlook-team", - "display_name": "DetectedOutlookTeam", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected outlook team", - "description": "Outlook Team detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-sauce-token", - "display_name": "DetectedSauceToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected sauce token", - "description": "Sauce Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-artifactory-token", - "display_name": "DetectedArtifactoryToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected artifactory token", - "description": "Artifactory token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-sonarqube-docs-api-key", - "display_name": "DetectedSonarqubeDocsApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected sonarqube docs api key", - "description": "SonarQube Docs API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-heroku-api-key", - "display_name": "DetectedHerokuApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected heroku api key", - "description": "Heroku API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-bcrypt-hash", - "display_name": "DetectedBcryptHash", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected bcrypt hash", - "description": "bcrypt hash detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-hockeyapp", - "display_name": "DetectedHockeyapp", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected hockeyapp", - "description": "HockeyApp detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-generic-secret", - "display_name": "DetectedGenericSecret", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected generic secret", - "description": "Generic Secret detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-generic-api-key", - "display_name": "DetectedGenericApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected generic api key", - "description": "Generic API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-amazon-mws-auth-token", - "display_name": "DetectedAmazonMwsAuthToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected amazon mws auth token", - "description": "Amazon MWS Auth Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-mailchimp-api-key", - "display_name": "DetectedMailchimpApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected mailchimp api key", - "description": "MailChimp API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-snyk-api-key", - "display_name": "DetectedSnykApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected snyk api key", - "description": "Snyk API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-square-oauth-secret", - "display_name": "DetectedSquareOauthSecret", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected square oauth secret", - "description": "Square OAuth Secret detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-npm-token", - "display_name": "DetectedNpmToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected npm token", - "description": "NPM token\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-aws-secret-access-key", - "display_name": "DetectedAwsSecretAccessKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected aws secret access key", - "description": "AWS Secret Access Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-etc-shadow", - "display_name": "DetectedEtcShadow", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected etc shadow", - "description": "linux shadow file detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-paypal-braintree-access-token", - "display_name": "DetectedPaypalBraintreeAccessToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected paypal braintree access token", - "description": "PayPal Braintree Access Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-pgp-private-key-block", - "display_name": "DetectedPgpPrivateKeyBlock", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected pgp private key block", - "description": "PGP private key block detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-npm-registry-auth-token", - "display_name": "DetectedNpmRegistryAuthToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected npm registry auth token", - "description": "NPM registry authentication token detected\n{\"include\": [\"*npmrc*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-google-api-key", - "display_name": "DetectedGoogleApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected google api key", - "description": "Google API Key Detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-twitter-access-token", - "display_name": "DetectedTwitterAccessToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected twitter access token", - "description": "Twitter Access Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-softlayer-api-key", - "display_name": "DetectedSoftlayerApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected softlayer api key", - "description": "SoftLayer API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-ssh-password", - "display_name": "DetectedSshPassword", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected ssh password", - "description": "SSH Password detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-slack-webhook", - "display_name": "DetectedSlackWebhook", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected slack webhook", - "description": "Slack Webhook detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-google-gcm-service-account", - "display_name": "DetectedGoogleGcmServiceAccount", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected google gcm service account", - "description": "Google (GCM) Service account detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-jwt-token", - "display_name": "DetectedJwtToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected jwt token", - "description": "JWT token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-artifactory-password", - "display_name": "DetectedArtifactoryPassword", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected artifactory password", - "description": "Artifactory token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-kolide-api-key", - "display_name": "DetectedKolideApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected kolide api key", - "description": "Kolide API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-aws-account-id", - "display_name": "DetectedAwsAccountId", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected aws account id", - "description": "AWS Account ID detected. This is a sensitive credential and should not be hardcoded here. Instead, read the value from an environment variable or keep the value in a separate, private file.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-facebook-oauth", - "display_name": "DetectedFacebookOauth", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected facebook oauth", - "description": "Facebook OAuth detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-google-oauth-access-token", - "display_name": "DetectedGoogleOauthAccessToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected google oauth access token", - "description": "Google OAuth Access Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-twitter-oauth", - "display_name": "DetectedTwitterOauth", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected twitter oauth", - "description": "Twitter OAuth detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-facebook-access-token", - "display_name": "DetectedFacebookAccessToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected facebook access token", - "description": "Facebook Access Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-github-token", - "display_name": "DetectedGithubToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected github token", - "description": "GitHub Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-sendgrid-api-key", - "display_name": "DetectedSendgridApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected sendgrid api key", - "description": "SendGrid API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-aws-appsync-graphql-key", - "display_name": "DetectedAwsAppsyncGraphqlKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected aws appsync graphql key", - "description": "AWS AppSync GraphQL Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-stripe-api-key", - "display_name": "DetectedStripeApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected stripe api key", - "description": "Stripe API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-google-cloud-api-key", - "display_name": "DetectedGoogleCloudApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected google cloud api key", - "description": "Google Cloud API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-username-and-password-in-uri", - "display_name": "DetectedUsernameAndPasswordInUri", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected username and password in uri", - "description": "Username and password in URI detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-aws-session-token", - "display_name": "DetectedAwsSessionToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected aws session token", - "description": "AWS Session Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-square-access-token", - "display_name": "DetectedSquareAccessToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected square access token", - "description": "Square Access Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-private-key", - "display_name": "DetectedPrivateKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected private key", - "description": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-twilio-api-key", - "display_name": "DetectedTwilioApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected twilio api key", - "description": "Twilio API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-google-oauth-url", - "display_name": "DetectedGoogleOauthUrl", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected google oauth url", - "description": "Google OAuth url detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-picatic-api-key", - "display_name": "DetectedPicaticApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected picatic api key", - "description": "Picatic API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-slack-token", - "display_name": "DetectedSlackToken", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected slack token", - "description": "Slack Token detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-telegram-bot-api-key", - "display_name": "DetectedTelegramBotApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected telegram bot api key", - "description": "Telegram Bot API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-mailgun-api-key", - "display_name": "DetectedMailgunApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected mailgun api key", - "description": "Mailgun API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-stripe-restricted-api-key", - "display_name": "DetectedStripeRestrictedApiKey", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected stripe restricted api key", - "description": "Stripe Restricted API Key detected\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "detected-aws-access-key-id-value", - "display_name": "DetectedAwsAccessKeyIdValue", - "severity": "error", - "category": "security", - "rule_title": "generic.secrets: detected aws access key id value", - "description": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "request-host-used", - "display_name": "RequestHostUsed", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: request host used", - "description": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allowlist for validation.\n{\"include\": [\"*conf*\", \"*nginx*\", \"*vhost*\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "header-redefinition", - "display_name": "HeaderRedefinition", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: header redefinition", - "description": "The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "missing-ssl-version", - "display_name": "MissingSslVersion", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: missing ssl version", - "description": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "header-injection", - "display_name": "HeaderInjection", - "severity": "error", - "category": "security", - "rule_title": "generic.nginx: header injection", - "description": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "dynamic-proxy-scheme", - "display_name": "DynamicProxyScheme", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: dynamic proxy scheme", - "description": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "insecure-ssl-version", - "display_name": "InsecureSslVersion", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: insecure ssl version", - "description": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "insecure-redirect", - "display_name": "InsecureRedirect", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: insecure redirect", - "description": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "possible-nginx-h2c-smuggling", - "display_name": "PossibleNginxH2cSmuggling", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: possible nginx h2c smuggling", - "description": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls,and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "alias-path-traversal", - "display_name": "AliasPathTraversal", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: alias path traversal", - "description": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "dynamic-proxy-host", - "display_name": "DynamicProxyHost", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: dynamic proxy host", - "description": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "missing-internal", - "display_name": "MissingInternal", - "severity": "warning", - "category": "security", - "rule_title": "generic.nginx: missing internal", - "description": "This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n{\"include\": [\"*.conf\", \"*.vhost\", \"sites-available/*\", \"sites-enabled/*\"]}", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "allow-privilege-escalation", - "display_name": "AllowPrivilegeEscalation", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: allow privilege escalation", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Container allows for privilege escalation via setuid or setgid binaries.\nAdd 'allowPrivilegeEscalation: false' in 'securityContext' to prevent this.", - "disable": false - }, - { - "real_name": "exposing-docker-socket-hostpath", - "display_name": "ExposingDockerSocketHostpath", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: exposing docker socket hostpath", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Exposing host's Docker socket to containers via a volume. The owner of this\nsocket is root. Giving someone access to it is equivalent to giving\nunrestricted root access to your host. Remove 'docker.sock' from hostpath to\nprevent this.", - "disable": false - }, - { - "real_name": "hostipc-pod", - "display_name": "HostipcPod", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: hostipc pod", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Pod is sharing the host IPC namespace. This allows container processes\nto communicate with processes on the host which reduces isolation and\nbypasses container protection models. Remove the 'hostIPC' key to disable\nthis functionality.", - "disable": false - }, - { - "real_name": "hostnetwork-pod", - "display_name": "HostnetworkPod", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: hostnetwork pod", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Pod may use the node network namespace. This gives the pod access to the\nloopback device, services listening on localhost, and could be used to\nsnoop on network activity of other pods on the same node. Remove the\n'hostNetwork' key to disable this functionality.", - "disable": false - }, - { - "real_name": "hostpid-pod", - "display_name": "HostpidPod", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: hostpid pod", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Pod is sharing the host process ID namespace. When paired with ptrace\nthis can be used to escalate privileges outside of the container. Remove\nthe 'hostPID' key to disable this functionality.", - "disable": false - }, - { - "real_name": "no-fractional-cpu-limits", - "display_name": "NoFractionalCpuLimits", - "severity": "warning", - "category": "correctness", - "rule_title": "kubernetes: no fractional cpu limits", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "When you set a fractional CPU limit on a container,\nthe CPU cycles available will be throttled,\neven though most nodes can handle processes\nalternating between using 100% of the CPU.", - "disable": false - }, - { - "real_name": "privileged-container", - "display_name": "PrivilegedContainer", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: privileged container", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Container or pod is running in privileged mode. This grants the\ncontainer the equivalent of root capabilities on the host machine. This\ncan lead to container escapes, privilege escalation, and other security\nconcerns. Remove the 'privileged' key to disable this capability.", - "disable": false - }, - { - "real_name": "run-as-non-root", - "display_name": "RunAsNonRoot", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: run as non root", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Container allows for running applications as root. This can result in\nprivilege escalation attacks. Add 'runAsNonRoot: true' in 'securityContext'\nto prevent this.", - "disable": false - }, - { - "real_name": "seccomp-confinement-disabled", - "display_name": "SeccompConfinementDisabled", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: seccomp confinement disabled", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Container is explicitly disabling seccomp confinement. This runs the\nservice in an unrestricted state. Remove 'seccompProfile: unconfined' to\nprevent this.", - "disable": false - }, - { - "real_name": "skip-tls-verify-cluster", - "display_name": "SkipTlsVerifyCluster", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: skip tls verify cluster", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Cluster is disabling TLS certificate verification when communicating with\nthe server. This makes your HTTPS connections insecure. Remove the\n'insecure-skip-tls-verify: true' key to secure communication.", - "disable": false - }, - { - "real_name": "skip-tls-verify-service", - "display_name": "SkipTlsVerifyService", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: skip tls verify service", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Service is disabling TLS certificate verification when communicating with\nthe server. This makes your HTTPS connections insecure. Remove the\n'insecureSkipTLSVerify: true' key to secure communication.", - "disable": false - }, - { - "real_name": "writable-filesystem-container", - "display_name": "WritableFilesystemContainer", - "severity": "warning", - "category": "security", - "rule_title": "kubernetes: writable filesystem container", - "rule_params": null, - "custom": true, - "languages": [], - "solution": null, - "owner": null, - "labels": [], - "description": "Container is running with a writable root filesystem. This may\nallow malicious applications to download and run additional payloads, or\nmodify container files. If an application inside a container has to save\nsomething temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true'\nto this container to prevent this.", - "disable": false - }, - { - "real_name": "admzip_path_overwrite", - "display_name": "AdmzipPathOverwrite", - "severity": "error", - "category": "security", - "rule_title": "njsscan: admzip path overwrite", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.", - "disable": false - }, - { - "real_name": "anti_csrf_control", - "display_name": "AntiCsrfControl", - "severity": "info", - "category": "security", - "rule_title": "njsscan: anti csrf control", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "This application has anti CSRF protection which prevents cross site request forgery attacks.", - "disable": false - }, - { - "real_name": "buffer_noassert", - "display_name": "BufferNoassert", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: buffer noassert", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.", - "disable": false - }, - { - "real_name": "cookie_session_default", - "display_name": "CookieSessionDefault", - "severity": "info", - "category": "security", - "rule_title": "njsscan: cookie session default", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.", - "disable": false - }, - { - "real_name": "cookie_session_no_domain", - "display_name": "CookieSessionNoDomain", - "severity": "info", - "category": "security", - "rule_title": "njsscan: cookie session no domain", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.", - "disable": false - }, - { - "real_name": "cookie_session_no_httponly", - "display_name": "CookieSessionNoHttponly", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: cookie session no httponly", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.", - "disable": false - }, - { - "real_name": "cookie_session_no_maxage", - "display_name": "CookieSessionNoMaxage", - "severity": "info", - "category": "security", - "rule_title": "njsscan: cookie session no maxage", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Session middleware settings: `maxAge` not set. Use it to set expiration date for cookies.", - "disable": false - }, - { - "real_name": "cookie_session_no_path", - "display_name": "CookieSessionNoPath", - "severity": "info", - "category": "security", - "rule_title": "njsscan: cookie session no path", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.", - "disable": false - }, - { - "real_name": "cookie_session_no_samesite", - "display_name": "CookieSessionNoSamesite", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: cookie session no samesite", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.", - "disable": false - }, - { - "real_name": "cookie_session_no_secure", - "display_name": "CookieSessionNoSecure", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: cookie session no secure", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.", - "disable": false - }, - { - "real_name": "electron_allow_http", - "display_name": "ElectronAllowHttp", - "severity": "error", - "category": "security", - "rule_title": "njsscan: electron allow http", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.", - "disable": false - }, - { - "real_name": "electron_blink_integration", - "display_name": "ElectronBlinkIntegration", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: electron blink integration", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application.", - "disable": false - }, - { - "real_name": "electron_context_isolation", - "display_name": "ElectronContextIsolation", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: electron context isolation", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Disabling context isolation can introduce Prototype Pollution vulnerabilities.", - "disable": false - }, - { - "real_name": "electron_disable_websecurity", - "display_name": "ElectronDisableWebsecurity", - "severity": "error", - "category": "security", - "rule_title": "njsscan: electron disable websecurity", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.", - "disable": false - }, - { - "real_name": "electron_experimental_features", - "display_name": "ElectronExperimentalFeatures", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: electron experimental features", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Experimental features are not expected to be in production ready applications.", - "disable": false - }, - { - "real_name": "electron_nodejs_integration", - "display_name": "ElectronNodejsIntegration", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: electron nodejs integration", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).", - "disable": false - }, - { - "real_name": "eval_nodejs", - "display_name": "EvalNodejs", - "severity": "error", - "category": "security", - "rule_title": "njsscan: eval nodejs", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection", - "disable": false - }, - { - "real_name": "eval_require", - "display_name": "EvalRequire", - "severity": "error", - "category": "security", - "rule_title": "njsscan: eval require", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in `require()` function allows an attacker to load arbitrary code.", - "disable": false - }, - { - "real_name": "express_bodyparser", - "display_name": "ExpressBodyparser", - "severity": "error", - "category": "security", - "rule_title": "njsscan: express bodyparser", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "POST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.", - "disable": false - }, - { - "real_name": "express_cors", - "display_name": "ExpressCors", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: express cors", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.", - "disable": false - }, - { - "real_name": "express_lfr", - "display_name": "ExpressLfr", - "severity": "error", - "category": "security", - "rule_title": "njsscan: express lfr", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in express render() function can result in arbitrary file read when hbs templating is used.", - "disable": false - }, - { - "real_name": "express_lfr_warning", - "display_name": "ExpressLfrWarning", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: express lfr warning", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.", - "disable": false - }, - { - "real_name": "express_open_redirect", - "display_name": "ExpressOpenRedirect", - "severity": "error", - "category": "security", - "rule_title": "njsscan: express open redirect", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in redirect() can result in Open Redirect vulnerability.", - "disable": false - }, - { - "real_name": "express_open_redirect2", - "display_name": "ExpressOpenRedirect2", - "severity": "error", - "category": "security", - "rule_title": "njsscan: express open redirect2", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in response header('Location') can result in Open Redirect vulnerability.", - "disable": false - }, - { - "real_name": "express_xss", - "display_name": "ExpressXss", - "severity": "error", - "category": "security", - "rule_title": "njsscan: express xss", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.", - "disable": false - }, - { - "real_name": "generic_cors", - "display_name": "GenericCors", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: generic cors", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.", - "disable": false - }, - { - "real_name": "generic_error_disclosure", - "display_name": "GenericErrorDisclosure", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: generic error disclosure", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Error messages with stack traces may expose sensitive information about the application.", - "disable": false - }, - { - "real_name": "generic_header_injection", - "display_name": "GenericHeaderInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: generic header injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.", - "disable": false - }, - { - "real_name": "generic_os_command_exec", - "display_name": "GenericOsCommandExec", - "severity": "error", - "category": "security", - "rule_title": "njsscan: generic os command exec", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.", - "disable": false - }, - { - "real_name": "generic_path_traversal", - "display_name": "GenericPathTraversal", - "severity": "error", - "category": "security", - "rule_title": "njsscan: generic path traversal", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.", - "disable": false - }, - { - "real_name": "grpc_insecure_connection", - "display_name": "GrpcInsecureConnection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: grpc insecure connection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.", - "disable": false - }, - { - "real_name": "handlebars_noescape", - "display_name": "HandlebarsNoescape", - "severity": "error", - "category": "security", - "rule_title": "njsscan: handlebars noescape", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Disabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.", - "disable": false - }, - { - "real_name": "handlebars_safestring", - "display_name": "HandlebarsSafestring", - "severity": "error", - "category": "security", - "rule_title": "njsscan: handlebars safestring", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.", - "disable": false - }, - { - "real_name": "hardcoded_jwt_secret", - "display_name": "HardcodedJwtSecret", - "severity": "error", - "category": "security", - "rule_title": "njsscan: hardcoded jwt secret", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Hardcoded JWT secret was found. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "hardcoded_passport_secret", - "display_name": "HardcodedPassportSecret", - "severity": "error", - "category": "security", - "rule_title": "njsscan: hardcoded passport secret", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Hardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "header_xss_generic", - "display_name": "HeaderXssGeneric", - "severity": "error", - "category": "security", - "rule_title": "njsscan: header xss generic", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.", - "disable": false - }, - { - "real_name": "header_xss_lusca", - "display_name": "HeaderXssLusca", - "severity": "error", - "category": "security", - "rule_title": "njsscan: header xss lusca", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.", - "disable": false - }, - { - "real_name": "helmet_feature_disabled", - "display_name": "HelmetFeatureDisabled", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: helmet feature disabled", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "One or more Security Response header is explicitly disabled in Helmet.", - "disable": false - }, - { - "real_name": "helmet_header_check_crossdomain", - "display_name": "HelmetHeaderCheckCrossdomain", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header check crossdomain", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/", - "disable": false - }, - { - "real_name": "helmet_header_check_csp", - "display_name": "HelmetHeaderCheckCsp", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header check csp", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Content Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/", - "disable": false - }, - { - "real_name": "helmet_header_check_expect_ct", - "display_name": "HelmetHeaderCheckExpectCt", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header check expect ct", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Expect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/", - "disable": false - }, - { - "real_name": "helmet_header_dns_prefetch", - "display_name": "HelmetHeaderDnsPrefetch", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header dns prefetch", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/", - "disable": false - }, - { - "real_name": "helmet_header_feature_policy", - "display_name": "HelmetHeaderFeaturePolicy", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header feature policy", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Feature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/", - "disable": false - }, - { - "real_name": "helmet_header_frame_guard", - "display_name": "HelmetHeaderFrameGuard", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header frame guard", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/", - "disable": false - }, - { - "real_name": "helmet_header_hsts", - "display_name": "HelmetHeaderHsts", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header hsts", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "HSTS header is present. More information: https://helmetjs.github.io/docs/hsts/", - "disable": false - }, - { - "real_name": "helmet_header_ienoopen", - "display_name": "HelmetHeaderIenoopen", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header ienoopen", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/", - "disable": false - }, - { - "real_name": "helmet_header_nosniff", - "display_name": "HelmetHeaderNosniff", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header nosniff", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Content-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/", - "disable": false - }, - { - "real_name": "helmet_header_referrer_policy", - "display_name": "HelmetHeaderReferrerPolicy", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header referrer policy", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Referrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/", - "disable": false - }, - { - "real_name": "helmet_header_xss_filter", - "display_name": "HelmetHeaderXssFilter", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header xss filter", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "X-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/", - "disable": false - }, - { - "real_name": "helmet_header_x_powered_by", - "display_name": "HelmetHeaderXPoweredBy", - "severity": "info", - "category": "security", - "rule_title": "njsscan: helmet header x powered by", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Default X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/", - "disable": false - }, - { - "real_name": "host_header_injection", - "display_name": "HostHeaderInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: host header injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.", - "disable": false - }, - { - "real_name": "join_resolve_path_traversal", - "display_name": "JoinResolvePathTraversal", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: join resolve path traversal", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.", - "disable": false - }, - { - "real_name": "jwt_exposed_credentials", - "display_name": "JwtExposedCredentials", - "severity": "error", - "category": "security", - "rule_title": "njsscan: jwt exposed credentials", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.", - "disable": false - }, - { - "real_name": "jwt_exposed_data", - "display_name": "JwtExposedData", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: jwt exposed data", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.", - "disable": false - }, - { - "real_name": "jwt_express_hardcoded", - "display_name": "JwtExpressHardcoded", - "severity": "error", - "category": "security", - "rule_title": "njsscan: jwt express hardcoded", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Hardcoded JWT secret or private key was found. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "jwt_not_revoked", - "display_name": "JwtNotRevoked", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: jwt not revoked", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.", - "disable": false - }, - { - "real_name": "layer7_object_dos", - "display_name": "Layer7ObjectDos", - "severity": "error", - "category": "security", - "rule_title": "njsscan: layer7 object dos", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Layer7 Denial of Service. Looping over user controlled objects can result in DoS.", - "disable": false - }, - { - "real_name": "node_aes_ecb", - "display_name": "NodeAesEcb", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node aes ecb", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.", - "disable": false - }, - { - "real_name": "node_aes_noiv", - "display_name": "NodeAesNoiv", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: node aes noiv", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.", - "disable": false - }, - { - "real_name": "node_api_key", - "display_name": "NodeApiKey", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node api key", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "A hardcoded API Key is identified. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "node_curl_ssl_verify_disable", - "display_name": "NodeCurlSslVerifyDisable", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node curl ssl verify disable", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "SSL Certificate verification for node-curl is disabled.", - "disable": false - }, - { - "real_name": "node_deserialize", - "display_name": "NodeDeserialize", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node deserialize", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", - "disable": false - }, - { - "real_name": "node_entity_expansion", - "display_name": "NodeEntityExpansion", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node entity expansion", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.", - "disable": false - }, - { - "real_name": "node_error_disclosure", - "display_name": "NodeErrorDisclosure", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node error disclosure", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Error messages with stack traces can expose sensitive information about the application.", - "disable": false - }, - { - "real_name": "node_insecure_random_generator", - "display_name": "NodeInsecureRandomGenerator", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: node insecure random generator", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.", - "disable": false - }, - { - "real_name": "node_jwt_none_algorithm", - "display_name": "NodeJwtNoneAlgorithm", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node jwt none algorithm", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature.", - "disable": false - }, - { - "real_name": "node_knex_sqli_injection", - "display_name": "NodeKnexSqliInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node knex sqli injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.", - "disable": false - }, - { - "real_name": "node_logic_bypass", - "display_name": "NodeLogicBypass", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node logic bypass", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data is used for application business logic decision making. This expose protected data or functionality.", - "disable": false - }, - { - "real_name": "node_md5", - "display_name": "NodeMd5", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: node md5", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "MD5 is a a weak hash which is known to have collision. Use a strong hashing function.", - "disable": false - }, - { - "real_name": "node_nosqli_injection", - "display_name": "NodeNosqliInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node nosqli injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in findOne() function can result in NoSQL Injection.", - "disable": false - }, - { - "real_name": "node_nosqli_js_injection", - "display_name": "NodeNosqliJsInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node nosqli js injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.", - "disable": false - }, - { - "real_name": "node_password", - "display_name": "NodePassword", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node password", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "A hardcoded password in plain text is identified. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "node_secret", - "display_name": "NodeSecret", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node secret", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "A hardcoded secret is identified. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "node_sha1", - "display_name": "NodeSha1", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: node sha1", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "SHA1 is a a weak hash which is known to have collision. Use a strong hashing function.", - "disable": false - }, - { - "real_name": "node_sqli_injection", - "display_name": "NodeSqliInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node sqli injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted input concatinated with raw SQL query can result in SQL Injection.", - "disable": false - }, - { - "real_name": "node_ssrf", - "display_name": "NodeSsrf", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node ssrf", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).", - "disable": false - }, - { - "real_name": "node_timing_attack", - "display_name": "NodeTimingAttack", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: node timing attack", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/", - "disable": false - }, - { - "real_name": "node_tls_reject", - "display_name": "NodeTlsReject", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node tls reject", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.", - "disable": false - }, - { - "real_name": "node_username", - "display_name": "NodeUsername", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node username", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "A hardcoded username in plain text is identified. Store it properly in an environment variable.", - "disable": false - }, - { - "real_name": "node_weak_crypto", - "display_name": "NodeWeakCrypto", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node weak crypto", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.", - "disable": false - }, - { - "real_name": "node_xpath_injection", - "display_name": "NodeXpathInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node xpath injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in xpath.parse() can result in XPATH injection vulnerability.", - "disable": false - }, - { - "real_name": "node_xxe", - "display_name": "NodeXxe", - "severity": "error", - "category": "security", - "rule_title": "njsscan: node xxe", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities", - "disable": false - }, - { - "real_name": "phantom_ssrf", - "display_name": "PhantomSsrf", - "severity": "error", - "category": "security", - "rule_title": "njsscan: phantom ssrf", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.", - "disable": false - }, - { - "real_name": "playwright_ssrf", - "display_name": "PlaywrightSsrf", - "severity": "error", - "category": "security", - "rule_title": "njsscan: playwright ssrf", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.", - "disable": false - }, - { - "real_name": "puppeteer_ssrf", - "display_name": "PuppeteerSsrf", - "severity": "error", - "category": "security", - "rule_title": "njsscan: puppeteer ssrf", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.", - "disable": false - }, - { - "real_name": "rate_limit_control", - "display_name": "RateLimitControl", - "severity": "info", - "category": "security", - "rule_title": "njsscan: rate limit control", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "This application has API rate limiting controls.", - "disable": false - }, - { - "real_name": "regex_dos", - "display_name": "RegexDos", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: regex dos", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.", - "disable": false - }, - { - "real_name": "regex_injection_dos", - "display_name": "RegexInjectionDos", - "severity": "error", - "category": "security", - "rule_title": "njsscan: regex injection dos", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.", - "disable": false - }, - { - "real_name": "sandbox_code_injection", - "display_name": "SandboxCodeInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: sandbox code injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Unrusted data in `sandbox` can result in code injection.", - "disable": false - }, - { - "real_name": "sequelize_tls", - "display_name": "SequelizeTls", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: sequelize tls", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.", - "disable": false - }, - { - "real_name": "sequelize_tls_cert_validation", - "display_name": "SequelizeTlsCertValidation", - "severity": "error", - "category": "security", - "rule_title": "njsscan: sequelize tls cert validation", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "The Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.", - "disable": false - }, - { - "real_name": "sequelize_weak_tls", - "display_name": "SequelizeWeakTls", - "severity": "error", - "category": "security", - "rule_title": "njsscan: sequelize weak tls", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.", - "disable": false - }, - { - "real_name": "serializetojs_deserialize", - "display_name": "SerializetojsDeserialize", - "severity": "error", - "category": "security", - "rule_title": "njsscan: serializetojs deserialize", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", - "disable": false - }, - { - "real_name": "server_side_template_injection", - "display_name": "ServerSideTemplateInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: server side template injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.", - "disable": false - }, - { - "real_name": "shelljs_os_command_exec", - "display_name": "ShelljsOsCommandExec", - "severity": "error", - "category": "security", - "rule_title": "njsscan: shelljs os command exec", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.", - "disable": false - }, - { - "real_name": "squirrelly_autoescape", - "display_name": "SquirrellyAutoescape", - "severity": "error", - "category": "security", - "rule_title": "njsscan: squirrelly autoescape", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.", - "disable": false - }, - { - "real_name": "tar_path_overwrite", - "display_name": "TarPathOverwrite", - "severity": "error", - "category": "security", - "rule_title": "njsscan: tar path overwrite", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.", - "disable": false - }, - { - "real_name": "vm2_code_injection", - "display_name": "Vm2CodeInjection", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: vm2 code injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input reaching `vm2` can result in code injection.", - "disable": false - }, - { - "real_name": "vm2_context_injection", - "display_name": "Vm2ContextInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: vm2 context injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input reaching `vm2` sandbox can result in context injection.", - "disable": false - }, - { - "real_name": "vm_code_injection", - "display_name": "VmCodeInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: vm code injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input reaching `vm` can result in code injection.", - "disable": false - }, - { - "real_name": "vm_compilefunction_injection", - "display_name": "VmCompilefunctionInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: vm compilefunction injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in `vm.compileFunction()` can result in code injection.", - "disable": false - }, - { - "real_name": "vm_runincontext_injection", - "display_name": "VmRunincontextInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: vm runincontext injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in `vm.runInContext()` can result in code injection.", - "disable": false - }, - { - "real_name": "vm_runinnewcontext_injection", - "display_name": "VmRuninnewcontextInjection", - "severity": "error", - "category": "security", - "rule_title": "njsscan: vm runinnewcontext injection", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input in `vm.runInNewContext()` can result in code injection.", - "disable": false - }, - { - "real_name": "wkhtmltoimage_ssrf", - "display_name": "WkhtmltoimageSsrf", - "severity": "error", - "category": "security", - "rule_title": "njsscan: wkhtmltoimage ssrf", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).", - "disable": false - }, - { - "real_name": "wkhtmltopdf_ssrf", - "display_name": "WkhtmltopdfSsrf", - "severity": "error", - "category": "security", - "rule_title": "njsscan: wkhtmltopdf ssrf", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).", - "disable": false - }, - { - "real_name": "xss_disable_mustache_escape", - "display_name": "XssDisableMustacheEscape", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: xss disable mustache escape", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.", - "disable": false - }, - { - "real_name": "xss_serialize_javascript", - "display_name": "XssSerializeJavascript", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: xss serialize javascript", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).", - "disable": false - }, - { - "real_name": "xxe_expat", - "display_name": "XxeExpat", - "severity": "error", - "category": "security", - "rule_title": "njsscan: xxe expat", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.", - "disable": false - }, - { - "real_name": "xxe_sax", - "display_name": "XxeSax", - "severity": "warning", - "category": "security", - "rule_title": "njsscan: xxe sax", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.", - "disable": false - }, - { - "real_name": "xxe_xml2json", - "display_name": "XxeXml2json", - "severity": "error", - "category": "security", - "rule_title": "njsscan: xxe xml2json", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.", - "disable": false - }, - { - "real_name": "yaml_deserialize", - "display_name": "YamlDeserialize", - "severity": "error", - "category": "security", - "rule_title": "njsscan: yaml deserialize", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "User controlled data in 'yaml.load()' function can result in Remote Code Injection.", - "disable": false - }, - { - "real_name": "zip_path_overwrite", - "display_name": "ZipPathOverwrite", - "severity": "error", - "category": "security", - "rule_title": "njsscan: zip path overwrite", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.", - "disable": false - }, - { - "real_name": "zip_path_overwrite2", - "display_name": "ZipPathOverwrite2", - "severity": "error", - "category": "security", - "rule_title": "njsscan: zip path overwrite2", - "rule_params": null, - "custom": true, - "languages": [ - "js" - ], - "solution": null, - "owner": null, - "labels": [], - "description": "Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.", - "disable": false - }, - { - "real_name": "owasp.java.ssrf.java.net.url", - "display_name": "Owasp.java.ssrf.java.net.url", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.ssrf.java.net.url", - "description": "A parameter being passed directly into java.net.URL function most likely lead to SSRF.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.ssrf.org.apache.commons.httpclient", - "display_name": "Owasp.java.ssrf.org.apache.commons.httpclient", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.ssrf.org.apache.commons.httpclient", - "description": "A parameter being passed directly into HttpClient functions most likely lead to SSRF.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient", - "display_name": "Owasp.java.ssrf.org.apache.http.impl.client.closeablehttpclient", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient", - "description": "A parameter being passed directly into CloseableHttpClient functions most likely lead to SSRF.\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.ssrf.possible.import.statements", - "display_name": "Owasp.java.ssrf.possible.import.statements", - "severity": "info", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.ssrf.possible.import.statements", - "description": "Non-exhaustive list of Libraries that provide functionality to accept URL as a parameter\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.org.apache.commons.digester3.Digester", - "display_name": "Owasp.java.xxe.org.apache.commons.digester3.digester", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.org.apache.commons.digester3.Digester", - "description": "Digester being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory", - "display_name": "Owasp.java.xxe.javax.xml.parsers.documentbuilderfactory", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory", - "description": "DocumentBuilderFactory being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.javax.xml.stream.XMLInputFactory", - "display_name": "Owasp.java.xxe.javax.xml.stream.xmlinputfactory", - "severity": "warning", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.javax.xml.stream.XMLInputFactory", - "description": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.org.jdom2.input.SAXBuilder", - "display_name": "Owasp.java.xxe.org.jdom2.input.saxbuilder", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.org.jdom2.input.SAXBuilder", - "description": "SAXBuilder being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.org.dom4j.io.SAXReader", - "display_name": "Owasp.java.xxe.org.dom4j.io.saxreader", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.org.dom4j.io.SAXReader", - "description": "SAXReader being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.possible.import.statements", - "display_name": "Owasp.java.xxe.possible.import.statements", - "severity": "info", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.possible.import.statements", - "description": "Non-exhaustive list of Libraries that provide functionality to accept XML as an input\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.javax.xml.parsers.SAXParserFactory", - "display_name": "Owasp.java.xxe.javax.xml.parsers.saxparserfactory", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.javax.xml.parsers.SAXParserFactory", - "description": "SAXParserFactory being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "owasp.java.xxe.org.xml.sax.XMLReader", - "display_name": "Owasp.java.xxe.org.xml.sax.xmlreader", - "severity": "error", - "category": "security", - "rule_title": "contrib.owasp: owasp.java.xxe.org.xml.sax.XMLReader", - "description": "XMLReader being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", - "rule_params": null, - "solution": null, - "languages": [ - "java" - ], - "labels": [] - }, - { - "real_name": "insecure-pickle-use", - "display_name": "InsecurePickleUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure pickle use", - "description": "The Python 'pickle' module is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-eval-use", - "display_name": "InsecureEvalUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure eval use", - "description": "The Python 'eval' function is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-exec-use", - "display_name": "InsecureExecUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure exec use", - "description": "The Python 'exec' function is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-os-exec-use", - "display_name": "InsecureOsExecUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure os exec use", - "description": "The Python 'os' execution functions are not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-os-temp-use", - "display_name": "InsecureOsTempUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure os temp use", - "description": "The Python 'os' tempnam|tmpnam functions are vulnerable to symlink attacks\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-xml-use", - "display_name": "InsecureXmlUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure xml use", - "description": "Insecure XML parsing functionality, prefer 'defusedxml'\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-yaml-use", - "display_name": "InsecureYamlUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure yaml use", - "description": "The Python 'yaml' module's `load`, `load_all`, `dump`, and `dump_all` functions are not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-compile-use", - "display_name": "InsecureCompileUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure compile use", - "description": "The Python 'compile' function is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-zipfile-use", - "display_name": "InsecureZipfileUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure zipfile use", - "description": "The Python 'zipfile' extract|extractall functions are vulnerable to arbitrary file overwrites\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-tarfile-use", - "display_name": "InsecureTarfileUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure tarfile use", - "description": "The Python 'tarfile' extract|extractall functions are vulnerable to arbitrary file overwrites\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-subprocess-use", - "display_name": "InsecureSubprocessUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure subprocess use", - "description": "The Python 'subprocess' module called with 'shell=True' may allow for shell injection\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-dl-use", - "display_name": "InsecureDlUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure dl use", - "description": "The Python 'dl' module may cause segmentation faults or other incorrect behavior\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-gl-use", - "display_name": "InsecureGlUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure gl use", - "description": "The Python 'gl' module may cause core dumps or other unsafe behavior\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-shelve-use", - "display_name": "InsecureShelveUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure shelve use", - "description": "The Python 'shelve' module is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-marshal-use", - "display_name": "InsecureMarshalUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure marshal use", - "description": "The Python 'marshal' module is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-tempfile-use", - "display_name": "InsecureTempfileUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure tempfile use", - "description": "The Python 'tempfile.mktemp' function allows for race conditions\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-ssl-use", - "display_name": "InsecureSslUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure ssl use", - "description": "Weak or insecure 'ssl' module usage\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-requests-use", - "display_name": "InsecureRequestsUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure requests use", - "description": "The Python third-party 'requests' module used with SSL verification disabled\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-simplexmlrpcserver-use", - "display_name": "InsecureSimplexmlrpcserverUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure simplexmlrpcserver use", - "description": "The Python 'xmlrpc' module used with 'allow_dotted_names' is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-commands-use", - "display_name": "InsecureCommandsUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure commands use", - "description": "The Python 'commands' module is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-popen2-use", - "display_name": "InsecurePopen2Use", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure popen2 use", - "description": "The Python 'popen2' module is not secure against maliciously constructed input\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-duo-client-use", - "display_name": "InsecureDuoClientUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure duo client use", - "description": "The Python third-party 'duo_client' module used with SSL verfication disabled\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-onelogin-attribute-use", - "display_name": "InsecureOneloginAttributeUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure onelogin attribute use", - "description": "Weak or insecure 'onelogin' module attribute usage\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-hashlib-use", - "display_name": "InsecureHashlibUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure hashlib use", - "description": "Weak or insecure 'hashlib' module usage\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urllib3-warnings-use", - "display_name": "InsecureUrllib3WarningsUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure urllib3 warnings use", - "description": "Warnings disabled on insecure network requests with Python 'urllib3' module\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-urllib3-connections-use", - "display_name": "InsecureUrllib3ConnectionsUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure urllib3 connections use", - "description": "The Python 'urllib3' module used with SSL verfication disabled\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-pycrypto-use", - "display_name": "InsecurePycryptoUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure pycrypto use", - "description": "The Python third-party 'Crypto' module is unmaintained and has known vulnerabilities and exploits\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-cryptography-attribute-use", - "display_name": "InsecureCryptographyAttributeUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure cryptography attribute use", - "description": "Weak or insecure 'cryptography' module attribute usage\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-xmlsec-attribute-use", - "display_name": "InsecureXmlsecAttributeUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure xmlsec attribute use", - "description": "Weak or insecure 'xmlsec' module attribute usage\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "insecure-itsdangerous-use", - "display_name": "InsecureItsdangerousUse", - "severity": "warning", - "category": "security", - "rule_title": "contrib.dlint: insecure itsdangerous use", - "description": "The Python third-party 'itsdangerous' module used with 'none' signing algorithm\n", - "rule_params": null, - "solution": null, - "languages": [ - "python" - ], - "labels": [] - }, - { - "real_name": "viewstate-mac", - "display_name": "ViewstateMac", - "severity": "error", - "category": "correctness", - "rule_title": "contrib.csharp: viewstate mac", - "description": "The enableViewStateMac is disabled in configuration file.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "viewstate-crypt", - "display_name": "ViewstateCrypt", - "severity": "warning", - "category": "correctness", - "rule_title": "contrib.csharp: viewstate crypt", - "description": "Web Forms controls use hidden base64 encoded fields to store state information. If sensitive information is stored there it may be leaked to the client side.\n", - "rule_params": null, - "solution": null, - "languages": [], - "labels": [] - }, - { - "real_name": "cookie_session_no_expires", - "display_name": "Cookie_session_no_expires", - "severity": "info", - "category": "security", - "rule_title": "contrib.nodejsscan: cookie_session_no_expires", - "description": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n", - "rule_params": null, - "solution": null, - "languages": [ - "js" - ], - "labels": [] - }, - { - "real_name": "react_html_parser", - "display_name": "React_html_parser", + "real_name": "connection-not-closed", + "display_name": "ConnectionNotClosed", "severity": "error", "category": "security", - "rule_title": "contrib.react: react_html_parser", - "description": "Untrusted user input in rendering reactHTMLParser can lead to an XSS\n", + "rule_title": "Connection opened without corresponding close", + "description": "Connection opened without corresponding close", "rule_params": null, "solution": null, "languages": [ - "js", - "ts" + "java" ], "labels": [] }, diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/log4j_vul.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/log4j_vul.json index 65940f52cf..21a9025c06 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/log4j_vul.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/log4j_vul.json @@ -18,13 +18,6 @@ "rule_params": null, "state": "enabled" }, - { - "checktool": "semgrep", - "checkrule": "log4j-message-lookup-injection", - "severity": "error", - "rule_params": null, - "state": "disabled" - }, { "checktool": "semgrep", "checkrule": "detected-log4j-core", diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json deleted file mode 100644 index 4c3f25af04..0000000000 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json +++ /dev/null @@ -1,361 +0,0 @@ -[ - { - "name": "【Go】基础安全", - "description": "go安全扫描规则包", - "revision": null, - "package_type": "official", - "languages": [ - "go" - ], - "labels": [ - "安全" - ], - "checkrule_set": [ - { - "checktool": "semgrep", - "checkrule": "avoid-bind-to-all-interfaces", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-ssh-insecure-ignore-host-key", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "bad-tmp-file-creation", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "cookie-missing-secure", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-command-write", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-exec-cmd", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-exec-command", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-execution", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-syscall-exec", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dynamic-httptrace-clienttrace", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "formatted-template-string", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "go-insecure-templates", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "gosql-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "grpc-client-insecure-connection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "grpc-server-insecure-connection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "hardcoded-jwt-key", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "import-text-template", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-module-used", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jwt-go-none-algorithm", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jwt-go-parse-unverified", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "math-random-used", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "missing-ssl-minversion", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-direct-write-to-responsewriter", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-fprintf-to-responsewriter", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-interpolation-in-tag", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-interpolation-js-template-string", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-io-writestring-to-responsewriter", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-printf-in-responsewriter", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "path-traversal-inside-zip-extraction", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "pg-orm-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "potential-dos-via-decompression-bomb", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "reflect-makefunc", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "session-cookie-missing-httponly", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "session-cookie-missing-secure", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "ssl-v3-is-insecure", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "string-formatted-query", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tls-with-insecure-cipher", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unescaped-data-in-htmlattr", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unescaped-data-in-js", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unescaped-data-in-url", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unsafe-reflect-by-name", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unsafe-template-type", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-of-DES", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-of-unsafe-block", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-of-weak-rsa-key", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-tls", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "wip-xss-using-responsewriter-and-printf", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-of-md5", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "raw-html-format", - "severity": "warning", - "rule_params": null, - "state": "enabled" - } - ], - "open_saas": true, - "envs": null - } -] \ No newline at end of file diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json index 7a1a0824f1..b29cc39289 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json @@ -11,377 +11,6 @@ "安全" ], "checkrule_set": [ - { - "checktool": "semgrep", - "checkrule": "xssrequestwrapper-is-insecure", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "servletresponse-writer-xss", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-direct-response-writer", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "cookie-issecure-false", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "hibernate-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jdbc-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jdo-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jpa-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "turbine-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "vertx-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "spring-csrf-disabled", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unrestricted-request-mapping", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "cookie-missing-samesite", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-resteasy-deserialization", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "default-resteasy-provider-abuse", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-jms-deserialization", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "object-deserialization", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "server-dangerous-class-deserialization", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "server-dangerous-object-deserialization", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "ldap-entry-poisoning", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-groovy-shell", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "el-injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "ognl-injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "script-engine-injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "spel-injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unvalidated-redirect", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "spring-unvalidated-redirect", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jax-rs-path-traversal", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "httpservlet-path-traversal", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "xmlinputfactory-external-entities-enabled", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "xmlinputfactory-possible-xxe", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "xml-decoder", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jjwt-none-alg", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "formatted-sql-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "cookie-missing-secure-flag", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-session-from-http-request", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "cookie-missing-httponly", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "weak-random", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-of-md5", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "cve-2022-22965", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-sql-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-file-path", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-html-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.ssrf.java.net.url", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.javax.xml.stream.XMLInputFactory", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.ssrf.org.apache.commons.httpclient", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.org.apache.commons.digester3.Digester", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.org.jdom2.input.SAXBuilder", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.org.dom4j.io.SAXReader", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.org.xml.sax.XMLReader", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "owasp.java.xxe.javax.xml.parsers.SAXParserFactory", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, { "checktool": "infer_java", "checkrule": "BUFFER_OVERRUN_L1", diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_javascript.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_javascript.json index caa63b805d..b11b71f7d3 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_javascript.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_javascript.json @@ -11,377 +11,6 @@ "安全" ], "checkrule_set": [ - { - "checktool": "semgrep", - "checkrule": "node-postgres-sqli", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "sequelize-raw-query", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_nosqli_injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_knex_sqli_injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_sqli_injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dom-based-xss", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-document-method", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-innerhtml", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "raw-html-concat", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "direct-response-write", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "var-in-href", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "var-in-script-src", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "var-in-script-tag", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "escape-function-overwrite", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-createnodesfrommarkup", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jquery-insecure-method", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jquery-insecure-selector", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "prohibit-jquery-html", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "express_xss", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "handlebars_safestring", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "squirrelly_autoescape", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detect-no-csrf-before-method-override", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "express-phantom-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "express-puppeteer-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "express-wkhtmltoimage-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "express-wkhtmltopdf-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "phantom-injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_ssrf", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "phantom_ssrf", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "playwright_ssrf", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "puppeteer_ssrf", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "wkhtmltoimage_ssrf", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "wkhtmltopdf_ssrf", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "grpc-nodejs-insecure-connection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "serializetojs_deserialize", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_deserialize", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "yaml_deserialize", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "eval_nodejs", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "shelljs-exec-injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "server_side_template_injection", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "vm_code_injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "zip_path_overwrite", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tar_path_overwrite", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_xpath_injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "generic_header_injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "js-open-redirect", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "express_open_redirect", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "regex_dos", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "regex_injection_dos", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "expat-xxe", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "node_xxe", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "xxe_sax", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "xxe_xml2json", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, { "checktool": "kunlunM", "checkrule": "unserialize vulerablity", diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json deleted file mode 100644 index 85c83be2e3..0000000000 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json +++ /dev/null @@ -1,81 +0,0 @@ -[ - { - "name": "【PHP】基础安全", - "description": "PHP安全扫描规则包,包含内部工具灰度测试,需要在Mac或Linux环境使用。", - "revision": null, - "package_type": "official", - "languages": [ - "php" - ], - "labels": [ - "安全" - ], - "checkrule_set": [ - { - "checktool": "semgrep", - "checkrule": "exec-use", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unserialize-use", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "eval-use", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "weak-crypto", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "md5-loose-equality", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "file-inclusion", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-sql-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-object-instantiation", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-filename", - "severity": "warning", - "rule_params": null, - "state": "enabled" - } - ], - "open_saas": false, - "envs": null - } -] \ No newline at end of file diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json deleted file mode 100644 index 4ddcb96c65..0000000000 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json +++ /dev/null @@ -1,375 +0,0 @@ -[ - { - "name": "【Python】基础安全", - "description": "python安全扫描规则包", - "revision": null, - "package_type": "official", - "languages": [ - "python" - ], - "labels": [ - "安全" - ], - "checkrule_set": [ - { - "checktool": "semgrep", - "checkrule": "avoid-cPickle", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-dill", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-insecure-deserialization", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-mark-safe", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-pyyaml-load", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-query-set-extra", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-raw-sql", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid-unsafe-ruamel", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid_send_file_without_path_sanitization", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "command-injection-os-system", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "context-autoescape-off", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "custom-expression-as-sql", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-subprocess-use", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-system-call", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "dangerous-template-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "delete-where-no-execute", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "avoid_hardcoded_config_SECRET_KEY", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "disabled-cert-validation", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "eval-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "exec-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "flask-api-method-string-format", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "http-not-https-connection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-deserialization", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jwt-python-exposed-credentials", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jwt-python-hardcoded-secret", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "jwt-python-none-alg", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "no-auth-over-http", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "open-redirect", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "os-system-injection", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "password-empty-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "path-traversal-open", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "request-session-http-in-with-context", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "request-session-with-http", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "request-with-http", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "sqlalchemy-execute-raw-query", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "ssrf-requests", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "subprocess-shell-true", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unquoted-csv-writer", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unverified-jwt-decode", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "unverified-ssl-context", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-defused-xml", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-defused-xmlrpc", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "use-none-for-password-default", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "var-in-script-tag", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "template-href-var", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "render-template-string", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "raw-html-format", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "tainted-sql-string", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "formatted-sql-query", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "md5-used-as-password", - "severity": "warning", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "insecure-requests-use", - "severity": "warning", - "rule_params": null, - "state": "enabled" - } - ], - "open_saas": true, - "envs": null - } -] \ No newline at end of file diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/semgrep_sensitive.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/semgrep_sensitive.json deleted file mode 100644 index f250eb2734..0000000000 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/semgrep_sensitive.json +++ /dev/null @@ -1,353 +0,0 @@ -[ - { - "name": "【全语种】semgrep敏感信息扫描", - "description": "选取semgrep的secrets规则集,适用于各语言,扫描项目代码中的敏感信息。", - "revision": null, - "package_type": "official", - "languages": [ - "cpp", - "cs", - "css", - "Go", - "html", - "java", - "js", - "kotlin", - "Lua", - "oc", - "php", - "python", - "ruby", - "scala", - "swift", - "ts", - "visualbasic", - "abap", - "apex", - "cobol", - "flex", - "pli", - "plsql", - "rpg", - "tsql", - "xml", - "dart", - "shell" - ], - "labels": [ - "安全" - ], - "checkrule_set": [ - { - "checktool": "semgrep", - "checkrule": "detected-amazon-mws-auth-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-artifactory-password", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-artifactory-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-aws-access-key-id-value", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-aws-account-id", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-aws-appsync-graphql-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-aws-secret-access-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-aws-session-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-bcrypt-hash", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-codeclimate", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-etc-shadow", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-facebook-access-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-facebook-oauth", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-generic-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-generic-secret", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-google-cloud-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-google-gcm-service-account", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-google-oauth-access-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-google-oauth-url", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-heroku-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-hockeyapp", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-mailchimp-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-mailgun-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-npm-registry-auth-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-outlook-team", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-paypal-braintree-access-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-pgp-private-key-block", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-picatic-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-private-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-sauce-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-slack-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-slack-webhook", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-sonarqube-docs-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-sql-dump", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-square-access-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-square-oauth-secret", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-ssh-password", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-stripe-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-stripe-restricted-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-telegram-bot-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-twilio-api-key", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-twitter-access-token", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-twitter-oauth", - "severity": "error", - "rule_params": null, - "state": "enabled" - }, - { - "checktool": "semgrep", - "checkrule": "detected-username-and-password-in-uri", - "severity": "error", - "rule_params": null, - "state": "enabled" - } - ], - "open_saas": false, - "envs": null - } -] \ No newline at end of file