JavaScript

JavaScript

Made by DeepSource
Avoid using dangerous JSX properties JS-0440
Security
Major

Dangerous properties in React are those whose behavior is known to be a common source of application vulnerabilities. The properties names clearly indicate they are dangerous and should be avoided unless great care is taken.

Avoid target='_blank' attribute without rel='noopener noreferrer' JS-0422
Security
Major

When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.

Insecure web security preferences found in Electron JS-S1015
Security
Critical
Autofix

Setting webSecurity property to false, or allowRunningInsecureContent to true in an Electron renderer process like BrowserWindow or BrowserView disables crucial security features. By default, the webSecurity property is always true and the allowRunningInsecureContent property is always false.

Certificate validation is disabled in TLS connection JS-S1017
Security
Critical
Autofix

Certificate validation is an important aspect of Transport Layer Security (TLS) connections as it helps to ensure the authenticity and integrity of the data being transmitted. Disabling certificate validation can lead to several security risks, including Man-in-the-Middle Attacks. Without certificate validation, it is possible for an attacker to intercept the communication and present a fake certificate to the client.

Insecure express middleware path JS-S1018
Security
Critical
Autofix

In Express, paths specified using string literals are case insensitive, whereas those specified using regex are case sensitive. When a case-insensitive regex is used as a middleware route, attackers can bypass the route by altering the casing of the endpoint they choose to hit.

Insecure node integration preferences found in Electron JS-S1019
Security
Critical

The nodeIntegration option in Electron is used to control whether or not the renderer process has access to the Node.js APIs. By default, the nodeIntegration option is set to false, which means that the renderer process does not have access to the Node.js APIs. Similarly, the nodeIntegrationInWorker option is also by default set to false, so that Electron Web Workers do not have access to the Node.js APIs.

Found hardcoded credentials in source code JS-S1021
Security
Critical

Having hardcoded credentials in your source code, like passwords, tokens, and API keys can lead to security vulnerabilities, even if the source repo is private, and/or self-hosted.

Strict Contextual Escaping (SCE) is disabled in AngularJS JS-S1022
Security
Critical

Strict Contextual Escaping (SCE) is a security feature in AngularJS that helps protect against cross-site scripting (XSS) attacks. It is designed to prevent the injection of potentially dangerous content into web applications by escaping or sanitizing user-generated content.

Audit: Regex range is too permissive JS-A1002
Security
Critical

In regular expressions, the - operator can be used to match a range of characters. For example, /a-z/ will match any character that has a character code between 'a' and 'z'. Large ranges, like A-z, are often the result of typos or incorrect refactors. The range A-z will match any character that has an ASCII code between 65 and 122, which includes non-alphabetic characters.

Such behaviour is not obvious from the regex, and might open your application up to vulnerabilities where incoming data isn't properly validated.

Audit: insecure assignment to innerHTML property JS-S1012
Security
Critical

The innerHTML property is capable of directly changing the DOM structure, thereby opening up possibilities for XSS attacks. If you only want to change the text inside an HTML element, consider using the innerText or textContent property instead. Avoid assigning values that are fetched from 3rd party sources to HTMLElement#innerHTML without proper sanitization. If you must do so, validate and sanitize the data before assignment.

NOTE: If this issue was raised on a code snippet that you're sure was sanitized, consider adding a skipcq comment explaining the reason for the snippet's safety. Alternatively, you could disable this issue for your project in settings.

Usage of an insecure TLS protocol version JS-S1009
Security
Critical

It is not recommended to use TLS protocol versions less than 1.2. Using outdated TLS protocol versions lead to the use of outdated, vulnerable cipher suites.

Found error handling middleware in production JS-S1024
Security
Major

The errorhandler middleware should only be enabled in development mode. Enabling this in production can reveal sensitive information about your application to a client. This includes file paths, error messages, directory structure, and debug instructions.

Detected Unsafe referrer policy JS-S1011
Security
Critical

The Referrer-policy HTTP header controls the amount of referrer information included in requests. Incorrectly configuring this header can lead to exposure of private data on the referrer's side.

Audit: Avoid exposing server-side errors to client JS-A1006
Security
Critical

An error thrown by code running in the server should never be exposed to a client. Error objects contain information like the state of the call stack, bugs in the server code, dependencies used by the server application, etc. An attacker can intentionally send requests that yield an error and get an idea about the server's code layout and possible vulnerabilities.

Misconfigured CORS in express JS-D002
Security
Major

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. Using *, null or google.com is not a reliable way to ensure security of the application or software.

Audit: Forwarding IP while setting proxies in the HTTP server JS-D018
Security
Major
Autofix

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. The X-Forwarded-For request header is used to see the original IP address of the client.

If a server makes proxied connections, it is not a good idea to forward user IP addresses using HTTP headers such as X-Forwarded-For or Forwarded

Context isolation is disabled in Electron JS-S1020
Security
Critical

Context isolation is an Electron feature that allows developers to run code in preload scripts and in Electron APIs in a dedicated JavaScript context. This is important for security purposes as it helps prevent the website from accessing Electron internals or the powerful APIs your preload script has access to.