Security Issue
Opened this issue · 0 comments
Rules
javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect (severity: undefined)
It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.,javascript.sax.security.audit.sax-xxe.sax-xxe (severity: undefined)
Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.,terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled (severity: undefined)
The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access,terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket (severity: undefined)
S3 bucket with public read-write access detected.,typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html (severity: undefined)
Overwriting
transformLinkUri
ortransformImageUri
to something insecure or turningallowDangerousHtml
on, will open code up to XSS vectors.,javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override (severity: undefined)
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.,javascript.lang.security.spawn-git-clone.spawn-git-clone (severity: undefined)
Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.,javascript.jose.security.jwt-none-alg.jwt-none-alg (severity: undefined)
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.,javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe (severity: undefined)
If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities,javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes (severity: undefined)
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.,python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using
force_escape
to explicitly escape a translated text.,javascript.lang.security.detect-non-literal-require.detect-non-literal-require (severity: undefined)
Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.,terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume (severity: undefined)
An EBS volume is configured without encryption enabled.,typescript.react.security.audit.react-http-leak.react-http-leak (severity: undefined)
This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information.,generic.dockerfile.security.last-user-is-root.last-user-is-root (severity: undefined)
The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.,javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials (severity: undefined)
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.,javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape (severity: undefined)
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.,javascript.lang.security.detect-child-process.detect-child-process (severity: undefined)
Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.,javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert (severity: undefined)
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.,typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml (severity: undefined)
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.,terraform.lang.security.s3-cors-all-origins.all-origins-allowed (severity: undefined)
CORS rule on bucket permits any origin,javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials (severity: undefined)
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.,javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret (severity: undefined)
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET),javascript.node-expat.security.audit.expat-xxe.expat-xxe (severity: undefined)
If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities,python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using
force_escape
to explicitly escape a translated text.,json.aws.security.public-s3-policy-statement.public-s3-policy-statement (severity: undefined)
Detected public s3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.,javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg (severity: undefined)
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.,typescript.react.security.react-controlled-component-password.react-controlled-component-password (severity: undefined)
Password can be leaked if CSS injection exists on the page.,python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using
force_escape
to explicitly escape a translated text.,javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression (severity: undefined)
Detected eval(variable), which could allow a malicious actor to run arbitrary code.,javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag (severity: undefined)
Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data.,javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret (severity: undefined)
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET),typescript.react.security.react-insecure-request.react-insecure-request (severity: undefined)
Unencrypted request over HTTP detected.,javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection (severity: undefined)
Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
Details
{ "driver": { "name": "semgrep", "rules": [ { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect." }, "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect", "id": "javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect", "name": "javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect", "properties": { "precision": "very-high", "tags": [ "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML." }, "helpUri": "https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe", "id": "javascript.sax.security.audit.sax-xxe.sax-xxe", "name": "javascript.sax.security.audit.sax-xxe.sax-xxe", "properties": { "precision": "very-high", "tags": [ "CWE-611: Improper Restriction of XML External Entity Reference", "OWASP-A4: XML External Entities (XXE)" ] }, "shortDescription": { "text": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access" }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled", "id": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled", "name": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled", "properties": { "precision": "very-high", "tags": [ "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" ] }, "shortDescription": { "text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "S3 bucket with public read-write access detected." }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket", "id": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket", "name": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket", "properties": { "precision": "very-high", "tags": [ "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" ] }, "shortDescription": { "text": "S3 bucket with public read-write access detected." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", "id": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", "name": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", "id": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", "name": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", "properties": { "precision": "very-high", "tags": [ "CWE-352: Cross-Site Request Forgery (CSRF)" ] }, "shortDescription": { "text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone", "id": "javascript.lang.security.spawn-git-clone.spawn-git-clone", "name": "javascript.lang.security.spawn-git-clone.spawn-git-clone", "properties": { "precision": "very-high", "tags": [ "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." }, "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg", "id": "javascript.jose.security.jwt-none-alg.jwt-none-alg", "name": "javascript.jose.security.jwt-none-alg.jwt-none-alg", "properties": { "precision": "very-high", "tags": [ "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" }, "helpUri": "https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", "id": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", "name": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", "properties": { "precision": "very-high", "tags": [ "CWE-611: Improper Restriction of XML External Entity Reference", "OWASP-A4: XML External Entities (XXE)" ] }, "shortDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes", "id": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes", "name": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes", "properties": { "precision": "very-high", "tags": [ "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "OWASP-A9: Using Components with Known Vulnerabilities" ] }, "shortDescription": { "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers." } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." }, "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape", "id": "python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape", "name": "python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-non-literal-require.detect-non-literal-require", "id": "javascript.lang.security.detect-non-literal-require.detect-non-literal-require", "name": "javascript.lang.security.detect-non-literal-require.detect-non-literal-require", "properties": { "precision": "very-high", "tags": [ "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "An EBS volume is configured without encryption enabled." }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume", "id": "terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume", "name": "terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume", "properties": { "precision": "very-high", "tags": [ "CWE-311: Missing Encryption of Sensitive Data" ] }, "shortDescription": { "text": "An EBS volume is configured without encryption enabled." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-http-leak.react-http-leak", "id": "typescript.react.security.audit.react-http-leak.react-http-leak", "name": "typescript.react.security.audit.react-http-leak.react-http-leak", "properties": { "precision": "very-high", "tags": [ "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "OWASP-A3: Sensitive Data Exposure" ] }, "shortDescription": { "text": "This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." }, "helpUri": "https://semgrep.dev/r/generic.dockerfile.security.last-user-is-root.last-user-is-root", "id": "generic.dockerfile.security.last-user-is-root.last-user-is-root", "name": "generic.dockerfile.security.last-user-is-root.last-user-is-root", "properties": { "precision": "very-high", "tags": [] }, "shortDescription": { "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." }, "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials", "id": "javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials", "name": "javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", "id": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", "name": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", "properties": { "precision": "very-high", "tags": [ "CWE-116: Improper Encoding or Escaping of Output", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process", "id": "javascript.lang.security.detect-child-process.detect-child-process", "name": "javascript.lang.security.detect-child-process.detect-child-process", "properties": { "precision": "very-high", "tags": [ "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", "id": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", "name": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", "properties": { "precision": "very-high", "tags": [ "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" ] }, "shortDescription": { "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml", "id": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml", "name": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "CORS rule on bucket permits any origin" }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed", "id": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed", "name": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed", "properties": { "precision": "very-high", "tags": [ "CWE-942: Permissive Cross-domain Policy with Untrusted Domains" ] }, "shortDescription": { "text": "CORS rule on bucket permits any origin" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." }, "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials", "id": "javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials", "name": "javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" }, "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret", "id": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret", "name": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" }, "helpUri": "https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe", "id": "javascript.node-expat.security.audit.expat-xxe.expat-xxe", "name": "javascript.node-expat.security.audit.expat-xxe.expat-xxe", "properties": { "precision": "very-high", "tags": [ "CWE-611: Improper Restriction of XML External Entity Reference", "OWASP-A4: XML External Entities (XXE)" ] }, "shortDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." }, "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", "id": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", "name": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected public s3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket." }, "helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement", "id": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement", "name": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement", "properties": { "precision": "very-high", "tags": [ "CWE-264: Permissions, Privileges, and Access Controls", "OWASP-A6: Security Misconfiguration" ] }, "shortDescription": { "text": "Detected public s3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." }, "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", "id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", "name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", "properties": { "precision": "very-high", "tags": [ "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Password can be leaked if CSS injection exists on the page." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.react-controlled-component-password.react-controlled-component-password", "id": "typescript.react.security.react-controlled-component-password.react-controlled-component-password", "name": "typescript.react.security.react-controlled-component-password.react-controlled-component-password", "properties": { "precision": "very-high", "tags": [] }, "shortDescription": { "text": "Password can be leaked if CSS injection exists on the page." } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." }, "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", "id": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", "name": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", "id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", "name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", "properties": { "precision": "very-high", "tags": [ "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag", "id": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag", "name": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" }, "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", "id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", "name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Unencrypted request over HTTP detected." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request", "id": "typescript.react.security.react-insecure-request.react-insecure-request", "name": "typescript.react.security.react-insecure-request.react-insecure-request", "properties": { "precision": "very-high", "tags": [ "CWE-319: Cleartext Transmission of Sensitive Information", "OWASP-A3: Sensitive Data Exposure" ] }, "shortDescription": { "text": "Unencrypted request over HTTP detected." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine." }, "helpUri": "https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", "id": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", "name": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", "properties": { "precision": "very-high", "tags": [ "CWE-502: Deserialization of Untrusted Data", "OWASP-A8: Insecure Deserialization" ] }, "shortDescription": { "text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine." } } ], "semanticVersion": "0.70.0" } }
Results
- javascript.lang.security.detect-child-process.detect-child-process: Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.
https://github.com/h3kz-security/code_scanning_demo/blob/main/app/core/appHandler.js#L39-44
- terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume: An EBS volume is configured without encryption enabled.
https://github.com/h3kz-security/code_scanning_demo/blob/main/terraform/aws/ec2.tf#L34-34