Security Issue
Opened this issue · 0 comments
Rules
javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret (severity: undefined)
Hardcoded JWT secret or private key is used.
This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html
Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)
,javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert (severity: undefined)
Detected usage of noassert in Buffer API, which allows the offset the be beyond the
end of the buffer. This could result in writing or reading beyond the end of the buffer.
,javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape (severity: undefined)
Markup escaping disabled. This can be used with some template engines to escape
disabling of HTML entities, which can lead to XSS attacks.
,javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes (severity: undefined)
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
,python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template.
This leads to a vulnerability where translators could include malicious script tags in their translations.
Consider usingforce_escapeto explicitly escape a translated text.
,javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override (severity: undefined)
Detected use of express.csrf() middleware before express.methodOverride(). This can
allow GET requests (which are not checked by csrf) to turn into POST requests later.
,javascript.lang.security.detect-child-process.detect-child-process (severity: undefined)
Detected non-literal calls to $EXEC(). This could lead to a command
injection vulnerability.
,javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression (severity: undefined)
Detected eval(variable), which could allow a malicious actor to run arbitrary code.
,javascript.sax.security.audit.sax-xxe.sax-xxe (severity: undefined)
Use of 'ondoctype' in 'sax' library detected. By default, 'sax'
won't do anything with custom DTD entity definitions. If you're
implementing a custom DTD entity definition, be sure not to introduce
XML External Entity (XXE) vulnerabilities, or be absolutely sure that
external entities received from a trusted source while processing XML.
,javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials (severity: undefined)
Password is exposed through JWT token payload. This is not encrypted and
the password could be compromised. Do not store passwords in JWT tokens.
,typescript.react.security.react-controlled-component-password.react-controlled-component-password (severity: undefined)
Password can be leaked if CSS injection exists on the page.
,terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume (severity: undefined)
An EBS volume is configured without encryption enabled.
,javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag (severity: undefined)
Cannot determine what '$UNK' is and it is used with a '<script>' tag. This
could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not
externally controlled, or sanitize this data.
,javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect (severity: undefined)
It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure
'$UNK' is not externally controlled, otherwise this is an open redirect.
,javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret (severity: undefined)
Hardcoded JWT secret or private key is used.
This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html
Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)
,terraform.lang.security.s3-cors-all-origins.all-origins-allowed (severity: undefined)
CORS rule on bucket permits any origin,json.aws.security.public-s3-policy-statement.public-s3-policy-statement (severity: undefined)
Detected public s3 bucket policy. This policy allows anyone to access
certain properties of or items in the bucket. Do not do this unless you
will never have sensitive data inside the bucket.
,javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg (severity: undefined)
Detected use of the 'none' algorithm in a JWT token.
The 'none' algorithm assumes the integrity of the token has already
been verified. This would allow a malicious actor to forge a JWT token
that will automatically be verified. Do not explicitly use the 'none'
algorithm. Instead, use an algorithm such as 'HS256'.
,typescript.react.security.audit.react-http-leak.react-http-leak (severity: undefined)
This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information.,terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket (severity: undefined)
S3 bucket with public read-write access detected.,javascript.lang.security.detect-non-literal-require.detect-non-literal-require (severity: undefined)
Detected the use of require(variable). Calling require with a non-literal argument might
allow an attacker to load an run arbitrary code, or access arbitrary files.
,javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials (severity: undefined)
Password is exposed through JWT token payload. This is not encrypted and
the password could be compromised. Do not store passwords in JWT tokens.
,generic.dockerfile.security.last-user-is-root.last-user-is-root (severity: undefined)
The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.,javascript.node-expat.security.audit.expat-xxe.expat-xxe (severity: undefined)
If unverified user data can reach the XML Parser it can result in XML External or
Internal Entity (XXE) Processing vulnerabilities
,javascript.jose.security.jwt-none-alg.jwt-none-alg (severity: undefined)
Detected use of the 'none' algorithm in a JWT token.
The 'none' algorithm assumes the integrity of the token has already
been verified. This would allow a malicious actor to forge a JWT token
that will automatically be verified. Do not explicitly use the 'none'
algorithm. Instead, use an algorithm such as 'HS256'.
,javascript.lang.security.spawn-git-clone.spawn-git-clone (severity: undefined)
Git allows shell commands to be specified in ext URLs for remote repositories.
For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository.
Make sure that the URL is not controlled by external input.
,javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection (severity: undefined)
Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker
could tamper with the gRPC message, which could compromise the machine.
,typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml (severity: undefined)
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.
,javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe (severity: undefined)
If unverified user data can reach the XML Parser it can result in XML External or
Internal Entity (XXE) Processing vulnerabilities
,typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html (severity: undefined)
Overwriting
transformLinkUriortransformImageUrito something insecure or turningallowDangerousHtmlon, will open code up to XSS vectors.
,python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template.
This leads to a vulnerability where translators could include malicious script tags in their translations.
Consider usingforce_escapeto explicitly escape a transalted text.
,typescript.react.security.react-insecure-request.react-insecure-request (severity: undefined)
Unencrypted request over HTTP detected.
,python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template.
This leads to a vulnerability where translators could include malicious script tags in their translations.
Consider usingforce_escapeto explicitly escape a transalted text.
,terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled (severity: undefined)
The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access
Details
{
"driver": {
"name": "semgrep",
"rules": [
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used.\nThis is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html\nConsider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)\n"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"OWASP-A2: Broken Authentication"
]
},
"shortDescription": {
"text": "Hardcoded JWT secret or private key is used.\nThis is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html\nConsider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the\nend of the buffer. This could result in writing or reading beyond the end of the buffer.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"id": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"name": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"properties": {
"precision": "very-high",
"tags": [
"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
]
},
"shortDescription": {
"text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the\nend of the buffer. This could result in writing or reading beyond the end of the buffer.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Markup escaping disabled. This can be used with some template engines to escape\ndisabling of HTML entities, which can lead to XSS attacks.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"id": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"name": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-116: Improper Encoding or Escaping of Output",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Markup escaping disabled. This can be used with some template engines to escape\ndisabling of HTML entities, which can lead to XSS attacks.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"id": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"name": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"OWASP-A9: Using Components with Known Vulnerabilities"
]
},
"shortDescription": {
"text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template.\nThis leads to a vulnerability where translators could include malicious script tags in their translations.\nConsider using `force_escape` to explicitly escape a translated text.\n"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"id": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"name": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Translated strings will not be escaped when rendered in a template.\nThis leads to a vulnerability where translators could include malicious script tags in their translations.\nConsider using `force_escape` to explicitly escape a translated text.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of express.csrf() middleware before express.methodOverride(). This can\nallow GET requests (which are not checked by csrf) to turn into POST requests later.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"id": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"name": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
]
},
"shortDescription": {
"text": "Detected use of express.csrf() middleware before express.methodOverride(). This can\nallow GET requests (which are not checked by csrf) to turn into POST requests later.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-literal calls to $EXEC(). This could lead to a command\ninjection vulnerability.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process",
"id": "javascript.lang.security.detect-child-process.detect-child-process",
"name": "javascript.lang.security.detect-child-process.detect-child-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"OWASP-A1: Injection"
]
},
"shortDescription": {
"text": "Detected non-literal calls to $EXEC(). This could lead to a command\ninjection vulnerability.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
"OWASP-A1: Injection"
]
},
"shortDescription": {
"text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax'\nwon't do anything with custom DTD entity definitions. If you're\nimplementing a custom DTD entity definition, be sure not to introduce\nXML External Entity (XXE) vulnerabilities, or be absolutely sure that\nexternal entities received from a trusted source while processing XML.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe",
"id": "javascript.sax.security.audit.sax-xxe.sax-xxe",
"name": "javascript.sax.security.audit.sax-xxe.sax-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"OWASP-A4: XML External Entities (XXE)"
]
},
"shortDescription": {
"text": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax'\nwon't do anything with custom DTD entity definitions. If you're\nimplementing a custom DTD entity definition, be sure not to introduce\nXML External Entity (XXE) vulnerabilities, or be absolutely sure that\nexternal entities received from a trusted source while processing XML.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and\nthe password could be compromised. Do not store passwords in JWT tokens.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials",
"id": "javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials",
"name": "javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"OWASP-A2: Broken Authentication"
]
},
"shortDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and\nthe password could be compromised. Do not store passwords in JWT tokens.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Password can be leaked if CSS injection exists on the page.\n"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-controlled-component-password.react-controlled-component-password",
"id": "typescript.react.security.react-controlled-component-password.react-controlled-component-password",
"name": "typescript.react.security.react-controlled-component-password.react-controlled-component-password",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Password can be leaked if CSS injection exists on the page.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An EBS volume is configured without encryption enabled.\n"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume",
"id": "terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume",
"name": "terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "An EBS volume is configured without encryption enabled.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This\ncould be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not\nexternally controlled, or sanitize this data.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"id": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"name": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This\ncould be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not\nexternally controlled, or sanitize this data.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure\n'$UNK' is not externally controlled, otherwise this is an open redirect.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect",
"id": "javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect",
"name": "javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
"OWASP-A1: Injection"
]
},
"shortDescription": {
"text": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure\n'$UNK' is not externally controlled, otherwise this is an open redirect.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used.\nThis is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html\nConsider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)\n"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"id": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"name": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"OWASP-A2: Broken Authentication"
]
},
"shortDescription": {
"text": "Hardcoded JWT secret or private key is used.\nThis is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html\nConsider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CORS rule on bucket permits any origin"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"id": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"name": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "CORS rule on bucket permits any origin"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected public s3 bucket policy. This policy allows anyone to access\ncertain properties of or items in the bucket. Do not do this unless you\nwill never have sensitive data inside the bucket.\n"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"id": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"name": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"properties": {
"precision": "very-high",
"tags": [
"CWE-264: Permissions, Privileges, and Access Controls",
"OWASP-A6: Security Misconfiguration"
]
},
"shortDescription": {
"text": "Detected public s3 bucket policy. This policy allows anyone to access\ncertain properties of or items in the bucket. Do not do this unless you\nwill never have sensitive data inside the bucket.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the 'none' algorithm in a JWT token.\nThe 'none' algorithm assumes the integrity of the token has already\nbeen verified. This would allow a malicious actor to forge a JWT token\nthat will automatically be verified. Do not explicitly use the 'none'\nalgorithm. Instead, use an algorithm such as 'HS256'.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"OWASP-A2: Broken Authentication"
]
},
"shortDescription": {
"text": "Detected use of the 'none' algorithm in a JWT token.\nThe 'none' algorithm assumes the integrity of the token has already\nbeen verified. This would allow a malicious actor to forge a JWT token\nthat will automatically be verified. Do not explicitly use the 'none'\nalgorithm. Instead, use an algorithm such as 'HS256'.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information."
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-http-leak.react-http-leak",
"id": "typescript.react.security.audit.react-http-leak.react-http-leak",
"name": "typescript.react.security.audit.react-http-leak.react-http-leak",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"OWASP-A3: Sensitive Data Exposure"
]
},
"shortDescription": {
"text": "This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information."
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "S3 bucket with public read-write access detected."
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"id": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"name": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "S3 bucket with public read-write access detected."
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of require(variable). Calling require with a non-literal argument might\nallow an attacker to load an run arbitrary code, or access arbitrary files.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-non-literal-require.detect-non-literal-require",
"id": "javascript.lang.security.detect-non-literal-require.detect-non-literal-require",
"name": "javascript.lang.security.detect-non-literal-require.detect-non-literal-require",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
"OWASP-A1: Injection"
]
},
"shortDescription": {
"text": "Detected the use of require(variable). Calling require with a non-literal argument might\nallow an attacker to load an run arbitrary code, or access arbitrary files.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and\nthe password could be compromised. Do not store passwords in JWT tokens.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials",
"id": "javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials",
"name": "javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"OWASP-A2: Broken Authentication"
]
},
"shortDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and\nthe password could be compromised. Do not store passwords in JWT tokens.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."
},
"helpUri": "https://semgrep.dev/r/generic.dockerfile.security.last-user-is-root.last-user-is-root",
"id": "generic.dockerfile.security.last-user-is-root.last-user-is-root",
"name": "generic.dockerfile.security.last-user-is-root.last-user-is-root",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or\nInternal Entity (XXE) Processing vulnerabilities\n"
},
"helpUri": "https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"id": "javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"name": "javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"OWASP-A4: XML External Entities (XXE)"
]
},
"shortDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or\nInternal Entity (XXE) Processing vulnerabilities\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the 'none' algorithm in a JWT token.\nThe 'none' algorithm assumes the integrity of the token has already\nbeen verified. This would allow a malicious actor to forge a JWT token\nthat will automatically be verified. Do not explicitly use the 'none'\nalgorithm. Instead, use an algorithm such as 'HS256'.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg",
"id": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
"name": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"OWASP-A2: Broken Authentication"
]
},
"shortDescription": {
"text": "Detected use of the 'none' algorithm in a JWT token.\nThe 'none' algorithm assumes the integrity of the token has already\nbeen verified. This would allow a malicious actor to forge a JWT token\nthat will automatically be verified. Do not explicitly use the 'none'\nalgorithm. Instead, use an algorithm such as 'HS256'.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Git allows shell commands to be specified in ext URLs for remote repositories.\nFor example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository.\nMake sure that the URL is not controlled by external input.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone",
"id": "javascript.lang.security.spawn-git-clone.spawn-git-clone",
"name": "javascript.lang.security.spawn-git-clone.spawn-git-clone",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"OWASP-A1: Injection"
]
},
"shortDescription": {
"text": "Git allows shell commands to be specified in ext URLs for remote repositories.\nFor example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository.\nMake sure that the URL is not controlled by external input.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker\ncould tamper with the gRPC message, which could compromise the machine.\n"
},
"helpUri": "https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"id": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"name": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"OWASP-A8: Insecure Deserialization"
]
},
"shortDescription": {
"text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker\ncould tamper with the gRPC message, which could compromise the machine.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.\n"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"id": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"name": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or\nInternal Entity (XXE) Processing vulnerabilities\n"
},
"helpUri": "https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"id": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"name": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"OWASP-A4: XML External Entities (XXE)"
]
},
"shortDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or\nInternal Entity (XXE) Processing vulnerabilities\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors.\n"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"id": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"name": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors.\n"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template.\nThis leads to a vulnerability where translators could include malicious script tags in their translations.\nConsider using `force_escape` to explicitly escape a transalted text.\n"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"id": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"name": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Translated strings will not be escaped when rendered in a template.\nThis leads to a vulnerability where translators could include malicious script tags in their translations.\nConsider using `force_escape` to explicitly escape a transalted text.\n"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unencrypted request over HTTP detected.\n"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request",
"id": "typescript.react.security.react-insecure-request.react-insecure-request",
"name": "typescript.react.security.react-insecure-request.react-insecure-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"OWASP-A3: Sensitive Data Exposure"
]
},
"shortDescription": {
"text": "Unencrypted request over HTTP detected.\n"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template.\nThis leads to a vulnerability where translators could include malicious script tags in their translations.\nConsider using `force_escape` to explicitly escape a transalted text.\n"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape",
"id": "python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape",
"name": "python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"OWASP-A7: Cross-Site Scripting (XSS)"
]
},
"shortDescription": {
"text": "Translated strings will not be escaped when rendered in a template.\nThis leads to a vulnerability where translators could include malicious script tags in their translations.\nConsider using `force_escape` to explicitly escape a transalted text.\n"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\n"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"id": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"name": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\n"
}
}
],
"semanticVersion": "0.64.0"
}
}Results
- javascript.lang.security.detect-child-process.detect-child-process: Detected non-literal calls to $EXEC(). This could lead to a command
injection vulnerability.
https://github.com/h3kz-security/code_scanning_demo/blob/main/app/core/appHandler.js#L39-44
- terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume: An EBS volume is configured without encryption enabled.
https://github.com/h3kz-security/code_scanning_demo/blob/main/terraform/aws/ec2.tf#L34-34