app.js rule:javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp: RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression. Details: https://sg.run/gr65 64: app.conf.log_header_whitelist = new RegExp( `^(?:${app.conf.log_header_whitelist.map( ( item ) => { 65: return item.trim(); 66: } ).join( '|' )})$`, 'i' ); -------------------------------------------------------------------------------- rule:javascript.lang.security.detect-non-literal-require.detect-non-literal-require: Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files. Details: https://sg.run/zvNn 151: const route = require( `${dir}/${fname}` ); executors/javascript/executor.js rule:javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression: Detected eval(variable), which could allow a malicious actor to run arbitrary code. Details: https://sg.run/6nwK 102: eval( functionTemplate ); // eslint-disable-line no-eval executors/javascript/serialization.js rule:javascript.lang.security.audit.detect-bracket-object-injection.detect-bracket-object-injection: Detected user input used in bracket notation accessor. This could lead to object injection through key, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input. Details: https://sg.run/XBkj 52: const value = theObject[ key ]; -------------------------------------------------------------------------------- rule:javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop: Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object. Details: https://sg.run/w1DB 172: tail = tail[ tailKey ]; lib/util.js rule:javascript.lang.security.audit.detect-bracket-object-injection.detect-bracket-object-injection: Detected user input used in bracket notation accessor. This could lead to object injection through hdr, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input. Details: https://sg.run/XBkj 61: ret.headers[ hdr ] = req.headers[ hdr ]; -------------------------------------------------------------------------------- rule:javascript.lang.security.audit.detect-bracket-object-injection.detect-bracket-object-injection: Detected user input used in bracket notation accessor. This could lead to object injection through key, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input. Details: https://sg.run/XBkj 152: o[ key ] = err.body[ key ]; src/subprocess.js rule:javascript.lang.security.detect-child-process.detect-child-process: Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability. Details: https://sg.run/l2lo 12: const process = spawn( binary, args, options ); ran 52 rules on 127 files: 8 findings