Client - Codacy - Security

Auth

Authentication is present in almost all web applications nowadays.

Everything's ok

CSRF

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Prohibit CSRF middleware before methodOverride

Prohibits express.csrf() middleware before express.methodOverride().

ESLint

Cryptography

Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Prohibit crypto.pseudoRandomBytes

Prohibits crypto.pseudoRandomBytes since it's not cryptographically strong.

ESLint

Prohibit potential hot spot string comparisons

Prohibits potential hot spot string comparisons of passwords, secrets and hashes.

ESLint

DoS

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Prohibit Buffer with noAssert

Prohibits buffer read / write calls that use noAssert set to true.

ESLint

File Access

An attacker may use special paths to access files that should not be accessible.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Prohibit calls to fs functions with expression

Prohibits calls to fs functions that take a non Literal value as the filename parameter.

ESLint

Firefox OS

Sensitive APIs of Firefox OS.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

speaker-control permission

Usage of sensitive API

ESLint

Usage of mozNfc

Usage of sensitive API

ESLint

Usage of mozPhoneNumberService

Usage of sensitive API

ESLint

geolocation permission

This function gives access to information about the user's location.

ESLint

device-storage:music permission

Usage of sensitive API

ESLint

Receive InterAppCommunication

This function sets a handler for inter app communication messages. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.

ESLint

Webapps manage

This function is only available to higher privileged Firefox OS applications. It allows managing the phone's app.

ESLint

new MozActivity()

This function creates new Web Activities and can transfer data from one app to another

ESLint

embed-apps permission

Usage of sensitive API

ESLint

Usage of mozNetworkStats

Usage of sensitive API

ESLint

Message handler

Check to make sure message handler validates to protect against malicious cross-origin message.

ESLint

Browser permission

This function is only available to higher privileged Firefox OS applications. MozBrowser frames have specific, elevated permissions.

ESLint

Cellbroadcast permission

Usage of sensitive API

ESLint

Usage of mozContacts

This function allows reading and modifying the phone's contacts. It is only available to higher privileged Firefox OS applications.

ESLint

handle system message

This function allows registering message handlers for Web Activities.

ESLint

Usage of mozPower

This function is only available to higher privileged Firefox OS applications. It allows access to power management features.

ESLint

Time permission

This function is only available to higher privileged Firefox OS applications.

ESLint

Background sensors permission

This exercises the proximity API to check whether the phone is close to something (i.e. held to the ear).

ESLint

device-storage:videos permission

Usage of sensitive API

ESLint

Usage pf cell broadcasts

Usage of sensitive API

ESLint

device-storage:sdcard permission

Usage of sensitive API

ESLint

Usage of mozMobileConnection

Usage of sensitive API

ESLint

mobile network permission

Usage of sensitive API

ESLint

video-capture permission

This function allows prompting for audio and video recording.

ESLint

Usage of mozTelephony

Usage of sensitive API

ESLint

device-storage:pictures permission

Usage of sensitive API

ESLint

Usage of mozMobileConnections

Usage of sensitive API

ESLint

Access datastore

This API allows access to datastores that may be used to serve or retrieve data from third party apps

ESLint

camera permission

This function allows reading and modifying camera settings and is only available to higher privileged Firefox OS application.

ESLint

Call addEventListener

Certain events (like message) may cause untrusted third party data.

ESLint

Input manage permission

Usage of sensitive API

ESLint

wappush permission

This specifies a handler for WAP Push notifications. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.

ESLint

alarms permission

This function is only available to higher privileged Firefox OS applications and allows setting and editing alarms. Frequent alarms might prevent power saving and drain the battery.

ESLint

Usage of mozVoicemail

This function is only available to higher privileged Firefox OS applications. It allows controlling the phone's Voicemail features.

ESLint

Usage of mozDownloadManager

Usage of sensitive API

ESLint

Usage of mozSettings

This function is only available to higher privileged Firefox OS applications. It allows access to the phone's settings

ESLint

network-events permission

Usage of sensitive API

ESLint

handle mozActivity

This function allows registering message handlers for Web Activities.

ESLint

bluetooth permission

This function is only available to higher privileged Firefox OS applications.

ESLint

Usage of mozKeyboard

Usage of sensitive API

ESLint

device-storage: apps permission

Usage of sensitive API

ESLint

Usage of mozWifiManager

This function is only available to higher privileged Firefox OS applications. It allows managing the Wifi features of the phone.

ESLint

device-storage:crashes permission

Usage of sensitive API

ESLint

Usage of mozFMRadio

This function is only available to higher privileged Firefox OS applications.

ESLint

Usage of mozTCPSocket

This function allows creating connections and communicating with remote servers.

ESLint

mozSystem object

XMLHttpRequests of type system may contact and read data from third party origins

ESLint

Usage of mozPermissionSettings

This function is only available to higher privileged Firefox OS applications. It allows managing and revoking apps permissions.

ESLint

Create contextual fragment

Writing user specified HTML to the DOM may lead to Cross-Site Scripting

ESLint

Make InterAppCommunication

ESLint

Idle permission

This function is only available to higher privileged Firefox OS applications.

ESLint

Usage of mozNotification

Usage of sensitive API

ESLint

mobile network permission

Usage of sensitive API

ESLint

Usage of mozMobileMessage

Usage of sensitive API

ESLint

Usage of getDeviceStorage

Usage of sensitive API

ESLint

network-events permission

Usage of sensitive API

ESLint

Usage of mozInputMethod

Usage of sensitive API

ESLint

Input validation

Input not validated may originate SQL Injection attacks for instance.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Call setInterval

Calling setInterval with a first argument as string (or string concatenation) with user input may lead to XSS

ESLint

new Function()

Controlling of the first argument to Function(...) results in direct script execution.

ESLint

Call function

Controlling of the first argument to Function(...) results in direct script execution.

ESLint

Call generateCRMFRequest

Due to a bug in Firefox, this function may be used as an obfuscated way to call execute scripts from strings (like eval). This may lead to Cross-Site-Scripting.

ESLint

Call setTimeout

Calling setTimeout with a first argument as string (or string concatenation) with user input may lead to XSS

ESLint

Prohibit Script URLs

Prohibits using return of a script as URL, you have to parse it first

ESLint

desktop-notification permission

This function generate notifications from the app. It is only available to higher privileged Firefox OS applications.

ESLint

Call eval

Controlling of the first argument to eval(...) results in direct script execution.

ESLint

Prohibit RegExp's with expression

Prohibits RegExp's created from non-literal strings.

ESLint

Prohibit calls to require with expression

Prohibits calls to require with non-literal argument.

ESLint

Prohibit no Markup escaping in Mustache

Prohibits having disabled Markup escaping in Mustache.

ESLint

ESLint_no-unsafe-innerhtml_no-unsafe-innerhtml

ESLint

Prohibit eval with expression

Prohibits eval statement with non Literal argument types.

ESLint

Prohibit eval()

Prohibits the usage of eval()

ESLint

Call execScript

Using execScript with user input leads to Cross Site Scripting (Internet Explorer only)

ESLint

Call setImmediate

Calling setImmediate with a first argument as string (or string concatenation) with user input may lead to XSS

ESLint

Usage parseFromString

This function creates a DOM from strings. Depending on their source it is likely important to sanitize it before an insertion into the DOM happens

ESLint

Insecure Storage

Storing sensitive data using this APIs is not safe.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Session Storage

Client-side data storage.

ESLint

IndexedDB

Client-side data storage.

ESLint

Session storage

Client-side data storage.

ESLint

Local Storage

Client-side data storage.

ESLint

ESLint_scanjs-rules_property_indexedDB

ESLint

Local Storage

Client-side data storage.

ESLint

Insecure modules/libraries

Consider possible security implications associated with some modules.

Everything's ok

Other

Other language specific security issues.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Prohibit instances of var[var]

Prohibits instances of var[var].

ESLint

Prohibit instances of child_process

Prohibits instances of child_process.

ESLint

Regex

Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Prohibit Unsafe Regular Expression

Prohibits Unsafe Regular Expression (new RegExp).

ESLint

Routes

Badly configured routes can give unintended access to an attacker.

Everything's ok

SQL Injection

A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.

Everything's ok

Unexpected behaviour

Assigning values to private APIs might lead to unexpected behaviour.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

Assign to hostname

Assignments to the document's location may lead to spoofing and unexpected redirects.

ESLint

Assign to search

Assignments to the document's location may lead to spoofing and unexpected redirects.

ESLint

Assign to src

Assignments to the document's location may lead to spoofing and unexpected redirects. It may also lead to script execution, depending on the affected HTML Tag (i.e. object)

ESLint

Checks for assignments in condition tests.

Unintended use of AssignmentExpression in If Statement.

ESLint

Assign to pathname

Assignments to the document's location may lead to spoofing and unexpected redirects.

ESLint

Assign to protocol

Assignments to the document's location may lead to spoofing and unexpected redirects.

ESLint

Assign to href

Assignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used.

ESLint

Assign to onmessage

Check to make sure message handler validates to protect against malicious cross-origin message.

ESLint

Assign to mozAudioChannel

This function is only available to higher privileged Firefox OS applications.

ESLint

Assign to mozAudioChannelType

This function is only available to higher privileged Firefox OS applications.

ESLint

Assign to location

Assignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used

ESLint

XSS

XSS enables attackers to inject client-side scripts into web pages viewed by other users.

You need to enable the following patterns for this category to be verified

Seems like you are using a configuration file for ESLint, please make sure you have the related patterns enabled in your configuration file.

ESLint_scanjs-rules_call_open_remote=true

ESLint

attention permission

Attention popups fill the whole display. URLs pointing to javascript: and data: protocols can lead to XSS. Popups can also confuse and misdirect users.

ESLint

Call document.writeln

Writing user specified HTML to the DOM may lead to Cross-Site Scripting

ESLint

Call document.write

Writing user specified HTML to the DOM may lead to Cross-Site Scripting

ESLint

Security monitor

Auth

Authentication is present in almost all web applications nowadays.

CSRF

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Cryptography

Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.

DoS

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.

File Access

An attacker may use special paths to access files that should not be accessible.

Firefox OS

Sensitive APIs of Firefox OS.

Input validation

Input not validated may originate SQL Injection attacks for instance.

Insecure Storage

Storing sensitive data using this APIs is not safe.

Insecure modules/libraries

Consider possible security implications associated with some modules.

Other

Other language specific security issues.

Regex

Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).

Routes

Badly configured routes can give unintended access to an attacker.

SQL Injection

A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.

Unexpected behaviour

Assigning values to private APIs might lead to unexpected behaviour.

XSS

XSS enables attackers to inject client-side scripts into web pages viewed by other users.