Security Issue
Opened this issue · 0 comments
Rules
javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag (severity: undefined)
Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data.,javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection (severity: undefined)
Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.,javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret (severity: undefined)
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET),javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape (severity: undefined)
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.,javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes (severity: undefined)
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.,javascript.jose.security.jwt-none-alg.jwt-none-alg (severity: undefined)
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.,typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml (severity: undefined)
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.,typescript.react.security.react-insecure-request.react-insecure-request (severity: undefined)
Unencrypted request over HTTP detected.,javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override (severity: undefined)
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.,typescript.react.security.audit.react-http-leak.react-http-leak (severity: undefined)
This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information.,typescript.react.security.react-controlled-component-password.react-controlled-component-password (severity: undefined)
Password can be leaked if CSS injection exists on the page.,typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html (severity: undefined)
Overwriting
transformLinkUri
ortransformImageUri
to something insecure or turningallowDangerousHtml
on, will open code up to XSS vectors.,json.aws.security.public-s3-policy-statement.public-s3-policy-statement (severity: undefined)
Detected public s3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.,python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using
force_escape
to explicitly escape a translated text.,python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using
force_escape
to explicitly escape a translated text.,javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert (severity: undefined)
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.,javascript.lang.security.spawn-git-clone.spawn-git-clone (severity: undefined)
Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.,generic.dockerfile.security.last-user-is-root.last-user-is-root (severity: undefined)
The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.,javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg (severity: undefined)
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.,javascript.sax.security.audit.sax-xxe.sax-xxe (severity: undefined)
Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.,terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled (severity: undefined)
The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access,javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression (severity: undefined)
Detected eval(variable), which could allow a malicious actor to run arbitrary code.,javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials (severity: undefined)
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.,javascript.lang.security.detect-non-literal-require.detect-non-literal-require (severity: undefined)
Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.,terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume (severity: undefined)
An EBS volume is configured without encryption enabled.,javascript.lang.security.detect-child-process.detect-child-process (severity: undefined)
Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.,terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket (severity: undefined)
S3 bucket with public read-write access detected.,javascript.node-expat.security.audit.expat-xxe.expat-xxe (severity: undefined)
If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities,javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret (severity: undefined)
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET),python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape (severity: undefined)
Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using
force_escape
to explicitly escape a translated text.,javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe (severity: undefined)
If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities,terraform.lang.security.s3-cors-all-origins.all-origins-allowed (severity: undefined)
CORS rule on bucket permits any origin,javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials (severity: undefined)
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.,javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect (severity: undefined)
It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.
Details
{ "driver": { "name": "semgrep", "rules": [ { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag", "id": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag", "name": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine." }, "helpUri": "https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", "id": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", "name": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", "properties": { "precision": "very-high", "tags": [ "CWE-502: Deserialization of Untrusted Data", "OWASP-A8: Insecure Deserialization" ] }, "shortDescription": { "text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" }, "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret", "id": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret", "name": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", "id": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", "name": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", "properties": { "precision": "very-high", "tags": [ "CWE-116: Improper Encoding or Escaping of Output", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes", "id": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes", "name": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes", "properties": { "precision": "very-high", "tags": [ "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "OWASP-A9: Using Components with Known Vulnerabilities" ] }, "shortDescription": { "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." }, "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg", "id": "javascript.jose.security.jwt-none-alg.jwt-none-alg", "name": "javascript.jose.security.jwt-none-alg.jwt-none-alg", "properties": { "precision": "very-high", "tags": [ "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml", "id": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml", "name": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Unencrypted request over HTTP detected." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request", "id": "typescript.react.security.react-insecure-request.react-insecure-request", "name": "typescript.react.security.react-insecure-request.react-insecure-request", "properties": { "precision": "very-high", "tags": [ "CWE-319: Cleartext Transmission of Sensitive Information", "OWASP-A3: Sensitive Data Exposure" ] }, "shortDescription": { "text": "Unencrypted request over HTTP detected." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", "id": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", "name": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", "properties": { "precision": "very-high", "tags": [ "CWE-352: Cross-Site Request Forgery (CSRF)" ] }, "shortDescription": { "text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-http-leak.react-http-leak", "id": "typescript.react.security.audit.react-http-leak.react-http-leak", "name": "typescript.react.security.audit.react-http-leak.react-http-leak", "properties": { "precision": "very-high", "tags": [ "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "OWASP-A3: Sensitive Data Exposure" ] }, "shortDescription": { "text": "This HTML element '$EL' and attribute '$ATTR' together may load an external resource. This means that if dynamic content can enter this attribute it may be possible for an attacker to send HTTP requests to unintended locations which may leak data about your users. If this element is reaching out to a known host, consider hardcoding the host (or loading from a configuration) and appending the dynamic path. See https://github.com/cure53/HTTPLeaks for more information." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Password can be leaked if CSS injection exists on the page." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.react-controlled-component-password.react-controlled-component-password", "id": "typescript.react.security.react-controlled-component-password.react-controlled-component-password", "name": "typescript.react.security.react-controlled-component-password.react-controlled-component-password", "properties": { "precision": "very-high", "tags": [] }, "shortDescription": { "text": "Password can be leaked if CSS injection exists on the page." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors." }, "helpUri": "https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", "id": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", "name": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure or turning `allowDangerousHtml` on, will open code up to XSS vectors." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected public s3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket." }, "helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement", "id": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement", "name": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement", "properties": { "precision": "very-high", "tags": [ "CWE-264: Permissions, Privileges, and Access Controls", "OWASP-A6: Security Misconfiguration" ] }, "shortDescription": { "text": "Detected public s3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket." } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." }, "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", "id": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", "name": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." }, "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", "id": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", "name": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", "id": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", "name": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", "properties": { "precision": "very-high", "tags": [ "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" ] }, "shortDescription": { "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone", "id": "javascript.lang.security.spawn-git-clone.spawn-git-clone", "name": "javascript.lang.security.spawn-git-clone.spawn-git-clone", "properties": { "precision": "very-high", "tags": [ "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." }, "helpUri": "https://semgrep.dev/r/generic.dockerfile.security.last-user-is-root.last-user-is-root", "id": "generic.dockerfile.security.last-user-is-root.last-user-is-root", "name": "generic.dockerfile.security.last-user-is-root.last-user-is-root", "properties": { "precision": "very-high", "tags": [] }, "shortDescription": { "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." }, "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", "id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", "name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", "properties": { "precision": "very-high", "tags": [ "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML." }, "helpUri": "https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe", "id": "javascript.sax.security.audit.sax-xxe.sax-xxe", "name": "javascript.sax.security.audit.sax-xxe.sax-xxe", "properties": { "precision": "very-high", "tags": [ "CWE-611: Improper Restriction of XML External Entity Reference", "OWASP-A4: XML External Entities (XXE)" ] }, "shortDescription": { "text": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access" }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled", "id": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled", "name": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled", "properties": { "precision": "very-high", "tags": [ "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" ] }, "shortDescription": { "text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", "id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", "name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", "properties": { "precision": "very-high", "tags": [ "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." }, "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials", "id": "javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials", "name": "javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-non-literal-require.detect-non-literal-require", "id": "javascript.lang.security.detect-non-literal-require.detect-non-literal-require", "name": "javascript.lang.security.detect-non-literal-require.detect-non-literal-require", "properties": { "precision": "very-high", "tags": [ "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "An EBS volume is configured without encryption enabled." }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume", "id": "terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume", "name": "terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume", "properties": { "precision": "very-high", "tags": [ "CWE-311: Missing Encryption of Sensitive Data" ] }, "shortDescription": { "text": "An EBS volume is configured without encryption enabled." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." }, "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process", "id": "javascript.lang.security.detect-child-process.detect-child-process", "name": "javascript.lang.security.detect-child-process.detect-child-process", "properties": { "precision": "very-high", "tags": [ "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "S3 bucket with public read-write access detected." }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket", "id": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket", "name": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket", "properties": { "precision": "very-high", "tags": [ "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" ] }, "shortDescription": { "text": "S3 bucket with public read-write access detected." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" }, "helpUri": "https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe", "id": "javascript.node-expat.security.audit.expat-xxe.expat-xxe", "name": "javascript.node-expat.security.audit.expat-xxe.expat-xxe", "properties": { "precision": "very-high", "tags": [ "CWE-611: Improper Restriction of XML External Entity Reference", "OWASP-A4: XML External Entities (XXE)" ] }, "shortDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" }, "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", "id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", "name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." }, "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape", "id": "python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape", "name": "python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "OWASP-A7: Cross-Site Scripting (XSS)" ] }, "shortDescription": { "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" }, "helpUri": "https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", "id": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", "name": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", "properties": { "precision": "very-high", "tags": [ "CWE-611: Improper Restriction of XML External Entity Reference", "OWASP-A4: XML External Entities (XXE)" ] }, "shortDescription": { "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "CORS rule on bucket permits any origin" }, "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed", "id": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed", "name": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed", "properties": { "precision": "very-high", "tags": [ "CWE-942: Permissive Cross-domain Policy with Untrusted Domains" ] }, "shortDescription": { "text": "CORS rule on bucket permits any origin" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." }, "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials", "id": "javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials", "name": "javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials", "properties": { "precision": "very-high", "tags": [ "CWE-522: Insufficiently Protected Credentials", "OWASP-A2: Broken Authentication" ] }, "shortDescription": { "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect." }, "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect", "id": "javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect", "name": "javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect", "properties": { "precision": "very-high", "tags": [ "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "OWASP-A1: Injection" ] }, "shortDescription": { "text": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect." } } ], "semanticVersion": "0.75.0" } }
Results
- javascript.lang.security.detect-child-process.detect-child-process: Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.
https://github.com/h3kz-security/code_scanning_demo/blob/main/app/core/appHandler.js#L39-44
- terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume: An EBS volume is configured without encryption enabled.
https://github.com/h3kz-security/code_scanning_demo/blob/main/terraform/aws/ec2.tf#L34-34