Amazon CodeGuruDetector Library Sign in to CodeGuru

CodeGuru

Detector Library

JavaScript detectors (78/78)

Improper access control Sensitive data stored unencrypted due to partial encryption Pseudorandom number generators OS command injection URL redirection to untrusted site Untrusted Amazon Machine Images Integer overflow Improper certificate validation Protection mechanism failure Non-literal regular expression Tainted input for Docker API Usage of an API that is not recommended XML external entity Insecure CORS policy Server-side request forgery New function detected Stack trace exposure Deserialization of untrusted object Timing attack SNS don't bind subscribe and publish Sensitive information leak Invoke super appropriately NoSQL injection Check failed records when using kinesis Hardcoded credentials Insecure cookie Weak obfuscation of web requests Catch and swallow exception Cross-site scripting Logging of sensitive information Limit request length String passed to `setInterval` or `setTimeout`Hardcoded IP address Log injection Override of reserved variable names in a Lambda function AWS credentials logged XPath injection Improper restriction of rendered UI layers or frames Insecure cryptography Data loss in a batch request Path traversal Least privilege violation DNS prefetching Insecure object attribute modification Resource leak Insufficiently protected credentials File extension validation Insecure connection using unencrypted protocol Cross-site request forgery Session fixation Typeof expression Set SNS Return Subscription ARN File and directory information exposure Missing Amazon S3 bucket owner condition Insecure hashing Numeric truncation error Avoid nan in comparison Client-side KMS reencryption AWS client not reused in a Lambda function Improper input validation LDAP injection Batch request with unchecked failures Disabled HTML autoescape Use of a deprecated method Cryptographic key generator Unvalidated expansion of archive files Unauthenticated Amazon SNS unsubscribe requests might succeed File injection Unverified hostname Sendfile injection SQL injection Header injection Origins-verified cross-origin communications Insecure temporary file or directory Loose file permissions Unsanitized input is run as code Missing pagination Inefficient polling of AWS resource

Deserialization of untrusted object High

Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.

Detector ID

javascript/untrusted-deserialization@v1.0

Category

Common Weakness Enumeration (CWE)

CWE-502 CWE-1321

Tags

# deserialization # injection # owasp-top10 # top25-cwes

Noncompliant example

1function untrustedDeserializationNoncompliant() {
2    var script = document.createElement("script")
3    script.src = "https://example.com/script.js"
4    // Noncompliant: integrity is not checked.
5    document.head.appendChild(script)
6}

Compliant example

1function untrustedDeserializationCompliant() {
2    var script = document.createElement("script")
3    script.src = "https://example.com/script.js"
4    // Compliant: integrity is checked.
5    script.integrity = "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
6    document.head.appendChild(script)
7}