JavaScript

JavaScript

By DeepSource

XML parsing may be vulnerable to XXE attacks JS-D022
Security
Autofix

XXE Injection is a type of attack against an application that parses XML input.

By default, many XML processors allow specification of an external entity - a URI (Uniform Resource Identifier) that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

It is recommended to disable fetching external entities whenever possible.

Avoid insecure HTTP strict transport security JS-S1002
Security
Autofix

When using NodeJS and express, policies for HTTPS can be configured through the helmet library. The insecureSubdomains policy determines whether the website will redirect to an HTTPS version when an HTTP one is requested.

Misconfigured CORS in express JS-D002
Security

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. Using *, null or google.com is not a reliable way to ensure security of the application or software.

Found weak hashing functions JS-D003
Security
Autofix

Robust cipher algorithms are cryptographic systems resistant to cryptanalysis. They are not vulnerable to well-known attacks like brute force attacks.

A general recommendation is only to use cipher algorithms intensively tested and promoted by the cryptographic community.

More specifically, it's not recommended for a block cipher to use an algorithm with a block size below 128 bits.

Audit: Forwarding IP while setting proxies in the HTTP server JS-D018
Security
Autofix

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. The X-Forwarded-For request header is used to see the original IP address of the client.

If a server makes proxied connections, it is not a good idea to forward user IP addresses using HTTP headers such as X-Forwarded-For or Forwarded