app.js rule:gitlab.eslint.detect-non-literal-fs-filename: A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system. Details: https://sg.run/L09Y 77: app.conf.spec = yaml.safeLoad( fs.readFileSync( app.conf.spec ) ); -------------------------------------------------------------------------------- 146: const isDirectory = fs.statSync( resolvedPath ).isDirectory(); -------------------------------------------------------------------------------- rule:gitlab.eslint.detect-non-literal-regexp: RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression. Details: https://sg.run/70yQ 64: app.conf.log_header_whitelist = new RegExp( `^(?:${app.conf.log_header_whitelist.map( ( item ) => { 65: return item.trim(); 66: } ).join( '|' )})$`, 'i' ); -------------------------------------------------------------------------------- rule:gitlab.eslint.detect-non-literal-require: Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files. Details: https://sg.run/5JJ6 151: const route = require( `${dir}/${fname}` ); -------------------------------------------------------------------------------- rule:gitlab.eslint.detect-object-injection: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. Details: https://sg.run/8nbQ 167: if ( route.path[ route.path.length - 1 ] !== '/' ) { executors/javascript/executor.js rule:gitlab.eslint.detect-eval-with-expression: Detected eval(variable), which could allow a malicious actor to run arbitrary code. Details: https://sg.run/ZeD4 102: eval( functionTemplate ); // eslint-disable-line no-eval -------------------------------------------------------------------------------- rule:gitlab.eslint.detect-object-injection: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. Details: https://sg.run/8nbQ 67: boundValues.set( key, Z7[ key ] ); executors/javascript/serialization.js rule:gitlab.eslint.detect-object-injection: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. Details: https://sg.run/8nbQ 52: const value = theObject[ key ]; -------------------------------------------------------------------------------- 207: result[ entry[ 0 ] ] = entry[ 1 ]; -------------------------------------------------------------------------------- 229: kwargs.set( key, serialize( theObject[ key ], subType ) ); executors/javascript/utils.js rule:gitlab.eslint.detect-object-injection: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. Details: https://sg.run/8nbQ 17: this[ entry[ 0 ] ] = entry[ 1 ]; lib/util.js rule:gitlab.eslint.detect-object-injection: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. Details: https://sg.run/8nbQ 61: ret.headers[ hdr ] = req.headers[ hdr ]; -------------------------------------------------------------------------------- 61: ret.headers[ hdr ] = req.headers[ hdr ]; -------------------------------------------------------------------------------- 152: o[ key ] = err.body[ key ]; -------------------------------------------------------------------------------- 152: o[ key ] = err.body[ key ]; ran 13 rules on 13 files: 15 findings