CodeGuru
Detector Library
JavaScript detectors (78/78)
Improper access controlSensitive data stored unencrypted due to partial encryptionPseudorandom number generatorsOS command injectionURL redirection to untrusted siteInteger overflowProtection mechanism failureNon-literal regular expressionTainted input for Docker APIUsage of an API that is not recommendedXML external entityServer-side request forgeryNew function detectedStack trace exposureTiming attackSNS don't bind subscribe and publishInvoke super appropriatelyNoSQL injectionHardcoded credentialsInsecure cookieCross-site scriptingHardcoded IP addressAWS credentials loggedXPath injectionData loss in a batch requestPath traversalLeast privilege violationDNS prefetchingResource leakInsufficiently protected credentialsFile extension validationInsecure connection using unencrypted protocolCross-site request forgeryTypeof expressionSet SNS Return Subscription ARNFile and directory information exposureMissing Amazon S3 bucket owner conditionInsecure hashingNumeric truncation errorClient-side KMS reencryptionAWS client not reused in a Lambda functionLDAP injectionBatch request with unchecked failuresCryptographic key generatorUnauthenticated Amazon SNS unsubscribe requests might succeedUnverified hostnameOrigins-verified cross-origin communicationsLoose file permissionsUnsanitized input is run as codeMissing paginationUntrusted Amazon Machine ImagesImproper certificate validationInsecure CORS policyDeserialization of untrusted objectSensitive information leakCheck failed records when using kinesisWeak obfuscation of web requestsCatch and swallow exceptionLogging of sensitive informationLimit request lengthString passed to `setInterval` or `setTimeout`Log injectionOverride of reserved variable names in a Lambda functionImproper restriction of rendered UI layers or framesInsecure cryptographyInsecure object attribute modificationSession fixationAvoid nan in comparisonImproper input validationDisabled HTML autoescapeUse of a deprecated methodUnvalidated expansion of archive filesFile injectionSendfile injectionSQL injectionHeader injectionInsecure temporary file or directoryInefficient polling of AWS resource
Least privilege violation Medium
The elevated privilege level required to perform operations should be dropped immediately after the operation is performed.
Detector ID
javascript/least-privilege-violation@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
-
Noncompliant example
1var { BrowserWindow } = require("electron")
2
3function leastPrivilegeViolationNoncompliant() {
4 var win = new BrowserWindow({
5 width: 800,
6 height: 600,
7 webPreferences: {
8 // Noncompliant: 'nodeIntegration' and 'allowRunningInsecureContent' properties are enabled.
9 nodeIntegration: true,
10 allowRunningInsecureContent: true
11 }
12 })
13}
Compliant example
1var { BrowserWindow } = require("electron")
2
3function leastPrivilegeViolationCompliant() {
4 var win = new BrowserWindow({
5 width: 800,
6 height: 600,
7 webPreferences: {
8 // Compliant: 'nodeIntegration' and 'allowRunningInsecureContent' properties are disabled.
9 nodeIntegration: false,
10 allowRunningInsecureContent: false,
11 }
12 })
13}