Automate your code reviews! Codacy is 100% free for open source projects. Get started for free!
Last updated: 2018-12-21T02:50:53.021Z
Authentication is present in almost all web applications nowadays.
Everything's ok
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
Everything's ok
An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the browser while the user is browsing.
Everything's ok
Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.
Everything's ok
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
Everything's ok
An attacker may use special paths to access files that should not be accessible.
Everything's ok
Sensitive APIs of Firefox OS.
You need to enable the following patterns for this category to be verified
This function is only available to higher privileged Firefox OS applications. It allows managing the Wifi features of the phone.
ESLintXMLHttpRequests of type system may contact and read data from third party origins
ESLintThis function is only available to higher privileged Firefox OS applications. It allows controlling the phone's Voicemail features.
ESLintThis function is only available to higher privileged Firefox OS applications. MozBrowser frames have specific, elevated permissions.
ESLintWriting user specified HTML to the DOM may lead to Cross-Site Scripting
ESLintThis API allows access to datastores that may be used to serve or retrieve data from third party apps
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis specifies a handler for WAP Push notifications. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLintThis function allows reading and modifying the phone's contacts. It is only available to higher privileged Firefox OS applications.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function is only available to higher privileged Firefox OS applications and allows setting and editing alarms. Frequent alarms might prevent power saving and drain the battery.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows access to the phone's settings
ESLintThis function is only available to higher privileged Firefox OS applications. It allows managing and revoking apps permissions.
ESLintThis exercises the proximity API to check whether the phone is close to something (i.e. held to the ear).
ESLintThis function is only available to higher privileged Firefox OS applications. It allows managing the phone's app.
ESLintThis function sets a handler for inter app communication messages. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLintThis function allows reading and modifying camera settings and is only available to higher privileged Firefox OS application.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function allows creating connections and communicating with remote servers.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows access to power management features.
ESLintCheck to make sure message handler validates to protect against malicious cross-origin message.
ESLintThis function creates new Web Activities and can transfer data from one app to another
ESLintHTTP headers are a common attack vector for malign users.
Everything's ok
Input not validated may originate SQL Injection attacks for instance.
You need to enable the following patterns for this category to be verified
Seems like you are using a configuration file for Rubocop, please make sure you have the related patterns enabled in your configuration file.
Calling setInterval with a first argument as string (or string concatenation) with user input may lead to XSS
ESLintControlling of the first argument to Function(...) results in direct script execution.
ESLintDue to a bug in Firefox, this function may be used as an obfuscated way to call execute scripts from strings (like eval). This may lead to Cross-Site-Scripting.
ESLintThis function generate notifications from the app. It is only available to higher privileged Firefox OS applications.
ESLintThis function creates a DOM from strings. Depending on their source it is likely important to sanitize it before an insertion into the DOM happens
ESLintControlling of the first argument to Function(...) results in direct script execution.
ESLintUsing execScript with user input leads to Cross Site Scripting (Internet Explorer only)
ESLintCalling setImmediate with a first argument as string (or string concatenation) with user input may lead to XSS
ESLintCalling setTimeout with a first argument as string (or string concatenation) with user input may lead to XSS
ESLintAvoid using of `Marshal.load` or `Marshal.restore` due to potential security issues. See reference for more information.
RubocopThe use of eval represents a serious security risk.
RubocopPrefer usage of `YAML.safe_load` over `YAML.load` due to potential security issues. See reference for more information.
RubocopPrefer usage of `JSON.parse` over `JSON.load` due to potential security issues. See reference for more information.
RubocopStoring sensitive data using this APIs is not safe.
You need to enable the following patterns for this category to be verified
Consider possible security implications associated with some modules.
Everything's ok
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Everything's ok
Other language specific security issues.
Everything's ok
Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).
Everything's ok
Badly configured routes can give unintended access to an attacker.
Everything's ok
A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.
Everything's ok
Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle attacks are well known and widely used.
Everything's ok
Assigning values to private APIs might lead to unexpected behaviour.
You need to enable the following patterns for this category to be verified
Assignments to the document's location may lead to spoofing and unexpected redirects. It may also lead to script execution, depending on the affected HTML Tag (i.e. object)
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used
ESLintUnintended use of AssignmentExpression in If Statement.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintCheck to make sure message handler validates to protect against malicious cross-origin message.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintXSS enables attackers to inject client-side scripts into web pages viewed by other users.
You need to enable the following patterns for this category to be verified
Attention popups fill the whole display. URLs pointing to javascript: and data: protocols can lead to XSS. Popups can also confuse and misdirect users.
ESLintWriting user specified HTML to the DOM may lead to Cross-Site Scripting
ESLint
