Automate your code reviews! Codacy is 100% free for open source projects. Get started for free!
Last updated: 2016-03-04T08:43:02.883Z
Authentication is present in almost all web applications nowadays.
You need to enable the following patterns for this category to be verified
Suggest named credentials for authentication
PMD (Legacy)Prohibit using hard coded passwords, consider placing them in config files or keystores instead.
Codacy ScalaMeta ProCross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
You need to enable the following patterns for this category to be verified
Avoid making DML operations in Apex class constructor/init method
PMD (Legacy)Prohibits express.csrf() middleware before express.methodOverride().
ESLintAn HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the browser while the user is browsing.
You need to enable the following patterns for this category to be verified
Check for usage of the sessionId cookie in spray
Codacy ScalaMeta ProCookie without the secure flag could be sent in clear text if a HTTP URL is visited.
Codacy ScalaMeta ProCookie that is not marked as HttpOnly could be read by a malicious script in the browser.
Codacy ScalaMeta ProCryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.
You need to enable the following patterns for this category to be verified
Prohibits potential hot spot string comparisons of passwords, secrets and hashes.
ESLintProhibits crypto.pseudoRandomBytes since it's not cryptographically strong.
ESLintProhibit using hard coded keys, consider placing them in config files or keystores instead.
Codacy ScalaMeta ProCommunication channels should use encrypted connections
Codacy ScalaMeta ProThe NullCipher is rarely used intentionally in production applications.
Codacy ScalaMeta ProDo not use your own custom message digest algorithm
Codacy ScalaMeta ProRSA Laboratories currently recommends key sizes of 1024 bits
Codacy ScalaMeta ProAt least 128 bits of entropy should be used when using Blowfish
Codacy ScalaMeta ProDo not use java.util.Random, its pseudo random generator can be predictable
Codacy ScalaMeta ProThe Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
You need to enable the following patterns for this category to be verified
Regular expressions are frequently subject to Denial of Service attacks
Codacy ScalaMeta ProProhibits buffer read / write calls that use noAssert set to true.
ESLintAn attacker may use special paths to access files that should not be accessible.
You need to enable the following patterns for this category to be verified
Prevents possible filename injection by unfiltered input.
Codacy ScalaMeta ProProhibits calls to fs functions that take a non Literal value as the filename parameter.
ESLintSensitive APIs of Firefox OS.
You need to enable the following patterns for this category to be verified
This function is only available to higher privileged Firefox OS applications. It allows access to power management features.
ESLintCheck to make sure message handler validates to protect against malicious cross-origin message.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows managing the Wifi features of the phone.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows managing and revoking apps permissions.
ESLintXMLHttpRequests of type system may contact and read data from third party origins
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows access to the phone's settings
ESLintThis function sets a handler for inter app communication messages. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows managing the phone's app.
ESLintThis function is only available to higher privileged Firefox OS applications. MozBrowser frames have specific, elevated permissions.
ESLintThis specifies a handler for WAP Push notifications. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function allows reading and modifying the phone's contacts. It is only available to higher privileged Firefox OS applications.
ESLintThis function allows reading and modifying camera settings and is only available to higher privileged Firefox OS application.
ESLintWriting user specified HTML to the DOM may lead to Cross-Site Scripting
ESLintThis API allows access to datastores that may be used to serve or retrieve data from third party apps
ESLintThis function is only available to higher privileged Firefox OS applications and allows setting and editing alarms. Frequent alarms might prevent power saving and drain the battery.
ESLintThis function creates new Web Activities and can transfer data from one app to another
ESLintThis exercises the proximity API to check whether the phone is close to something (i.e. held to the ear).
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintThis function allows creating connections and communicating with remote servers.
ESLintThis function is only available to higher privileged Firefox OS applications. It allows controlling the phone's Voicemail features.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintHTTP headers are a common attack vector for malign users.
You need to enable the following patterns for this category to be verified
The User-Agent header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta ProCheck for usage of the values obtained from GET and POST parameters in spray.
Codacy ScalaMeta ProCheck for usage of the values obtained from http requests parameters in play-framework.
Codacy ScalaMeta ProThe User-Agent header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta ProThe hostname header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta ProRequest headers can easily be altered by the requesting user.
Codacy ScalaMeta ProCheck for usage of the 'Content-Type' header in spray.
Codacy ScalaMeta ProCheck for usage of the 'Content-Type' header in play
Codacy ScalaMeta ProRequest headers can easily be altered by the requesting user.
Codacy ScalaMeta ProThe Referer header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta ProThe Referer header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta ProInput not validated may originate SQL Injection attacks for instance.
You need to enable the following patterns for this category to be verified
Validate CRUD permission before SOQL/DML operation
PMD (Legacy)Avoid unescaped user controlled content in EL
PMD (Legacy)Controlling of the first argument to Function(...) results in direct script execution.
ESLintDue to a bug in Firefox, this function may be used as an obfuscated way to call execute scripts from strings (like eval). This may lead to Cross-Site-Scripting.
ESLintCalling setInterval with a first argument as string (or string concatenation) with user input may lead to XSS
ESLintCalling setTimeout with a first argument as string (or string concatenation) with user input may lead to XSS
ESLintESLint_no-unsafe-innerhtml_no-unsafe-innerhtml
ESLintControlling of the first argument to Function(...) results in direct script execution.
ESLintProhibits calls to require with non-literal argument.
ESLintCalling setImmediate with a first argument as string (or string concatenation) with user input may lead to XSS
ESLintProhibits having disabled Markup escaping in Mustache.
ESLintThis function generate notifications from the app. It is only available to higher privileged Firefox OS applications.
ESLintUsing execScript with user input leads to Cross Site Scripting (Internet Explorer only)
ESLintThis function creates a DOM from strings. Depending on their source it is likely important to sanitize it before an insertion into the DOM happens
ESLintCheck if call to redirect comes directly from an input
Codacy ScalaMeta ProCheck if call to redirect comes directly from an input
Codacy ScalaMeta ProObject deserialization of untrusted data can lead to remote code execution.
Codacy ScalaMeta ProStoring sensitive data using this APIs is not safe.
You need to enable the following patterns for this category to be verified
Consider possible security implications associated with some modules.
You need to enable the following patterns for this category to be verified
Apex classes should declare a sharing model if DML or SOQL/SOSL is used
PMD (Legacy)Other language specific security issues.
You need to enable the following patterns for this category to be verified
Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).
You need to enable the following patterns for this category to be verified
Badly configured routes can give unintended access to an attacker.
You need to enable the following patterns for this category to be verified
Apex classes should safely redirect to a known location
PMD (Legacy)Apex callouts should use encrypted communication channels
PMD (Legacy)A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.
You need to enable the following patterns for this category to be verified
Avoid untrusted/unescaped variables in DML query
PMD (Legacy)Assigning values to private APIs might lead to unexpected behaviour.
You need to enable the following patterns for this category to be verified
Unintended use of AssignmentExpression in If Statement.
ESLintCheck to make sure message handler validates to protect against malicious cross-origin message.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintThis function is only available to higher privileged Firefox OS applications.
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects. It may also lead to script execution, depending on the affected HTML Tag (i.e. object)
ESLintAssignments to the document's location may lead to spoofing and unexpected redirects.
ESLintXSS enables attackers to inject client-side scripts into web pages viewed by other users.
You need to enable the following patterns for this category to be verified
Apex classes should escape/sanitize Strings obtained from URL parameters
PMD (Legacy)Apex classes should escape Strings in error messages
PMD (Legacy)Attention popups fill the whole display. URLs pointing to javascript: and data: protocols can lead to XSS. Popups can also confuse and misdirect users.
ESLintWriting user specified HTML to the DOM may lead to Cross-Site Scripting
ESLint
