CodeGuru
Detector Library
JavaScript detectors (78/78)
Improper access controlSensitive data stored unencrypted due to partial encryptionPseudorandom number generatorsOS command injectionURL redirection to untrusted siteInteger overflowProtection mechanism failureNon-literal regular expressionTainted input for Docker APIUsage of an API that is not recommendedXML external entityServer-side request forgeryNew function detectedStack trace exposureTiming attackSNS don't bind subscribe and publishInvoke super appropriatelyNoSQL injectionHardcoded credentialsInsecure cookieCross-site scriptingHardcoded IP addressAWS credentials loggedXPath injectionData loss in a batch requestPath traversalLeast privilege violationDNS prefetchingResource leakInsufficiently protected credentialsFile extension validationInsecure connection using unencrypted protocolCross-site request forgeryTypeof expressionSet SNS Return Subscription ARNFile and directory information exposureMissing Amazon S3 bucket owner conditionInsecure hashingNumeric truncation errorClient-side KMS reencryptionAWS client not reused in a Lambda functionLDAP injectionBatch request with unchecked failuresCryptographic key generatorUnauthenticated Amazon SNS unsubscribe requests might succeedUnverified hostnameOrigins-verified cross-origin communicationsLoose file permissionsUnsanitized input is run as codeMissing paginationUntrusted Amazon Machine ImagesImproper certificate validationInsecure CORS policyDeserialization of untrusted objectSensitive information leakCheck failed records when using kinesisWeak obfuscation of web requestsCatch and swallow exceptionLogging of sensitive informationLimit request lengthString passed to `setInterval` or `setTimeout`Log injectionOverride of reserved variable names in a Lambda functionImproper restriction of rendered UI layers or framesInsecure cryptographyInsecure object attribute modificationSession fixationAvoid nan in comparisonImproper input validationDisabled HTML autoescapeUse of a deprecated methodUnvalidated expansion of archive filesFile injectionSendfile injectionSQL injectionHeader injectionInsecure temporary file or directoryInefficient polling of AWS resource
Medium
Showing all detectors for the JavaScript language with medium severity.
Improper access control
The software does not restrict or incorrectly restrict access to a resource from an unauthorized actor.
Sensitive data stored unencrypted due to partial encryption
Encryption that is dependent on conditional logic, such as an
if...then clause, might cause unencrypted sensitive data to be stored.Pseudorandom number generators
Using pseudorandom number generators (PRNGs) is security-sensitive.
Integer overflow
An integer overflow might cause security issues when it is used for resource management or execution control.
New function detected
Use of
new Function() can be dangerous if used to evaluate dynamic content.Stack trace exposure
Stack traces can be hard to use for debugging.
SNS don't bind subscribe and publish
Do not bind the SNS Publish operation with the SNS Subscribe or Create Topic operation.
Hardcoded IP address
Hardcoding an IP address can cause security problems.
Data loss in a batch request
A batch request that doesn't check for failed items can lead to loss of data.
Least privilege violation
The elevated privilege level should be dropped immediately after the operation is performed.
Resource leak
Allocated resources are not released properly.
Insufficiently protected credentials
An object attribute constructed from a user-provided input should not be passed directly to a method.
File extension validation
Checks if the extension of a file uploaded by a user is validated before the file is saved.
Set SNS Return Subscription ARN
To always return the subscription ARN, set the
ReturnSubscriptionArn argument to True.File and directory information exposure
Allowing hidden files while serving files from a given root directory can cause information leakage.
Insecure hashing
Obsolete, broken, or weak hashing algorithms can lead to security vulnerabilities.
AWS client not reused in a Lambda function
Recreating AWS clients in each Lambda function invocation is expensive.
Unauthenticated Amazon SNS unsubscribe requests might succeed
Failing to set the
AuthenticateOnUnsubscribe flag to True when confirming an SNS subscription can lead to unauthenticated cancellations.Missing pagination
Missing pagination on a paginated call can lead to inaccurate results.
Untrusted Amazon Machine Images
Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, which is a potential security vulnerability.
Insecure CORS policy
Cross-origin resource sharing policies that are too permissive could lead to security vulnerabilities.
Check failed records when using kinesis
A batch request that doesn't check for failed records can lead to loss of data.
Catch and swallow exception
Swallowing exceptions, without rethrowing or logging them, can make it hard to understand why your application is failing.
Override of reserved variable names in a Lambda function
Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior.
Insecure object attribute modification
Updating object attributes obtained from external sources is security sensitive.
Avoid nan in comparison
Checks if nan is used is comparison.
Improper input validation
Improper input validation can enable attacks and lead to unwanted behavior.
Insecure temporary file or directory
Insecure ways of creating temporary files and directories can lead to race conditions, privilege escalation, and other security vulnerabilities.