Node.Security

Security Audit of Graphite-web

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues
Issue Description Line File
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1217 webapp/content/js/composer_widgets.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 649 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 717 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1138 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1563 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2455 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3972 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 4756 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 4815 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 5054 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 5065 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 6422 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 6566 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 6926 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7290 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7903 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8578 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8917 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 9020 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10054 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10056 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10124 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10258 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10264 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10269 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10270 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10271 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 10373 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 21340 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 21881 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 22126 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 22545 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 26123 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 27632 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 30265 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 30533 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 32841 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 32851 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 32885 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 35689 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 36033 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 36532 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 37308 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 37319 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 37403 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 37541 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 37563 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 37670 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 48859 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 49439 webapp/content/js/ext/ext-all-debug.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 webapp/content/js/ext/ext-all.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 webapp/content/js/ext/ext-all.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 webapp/content/js/ext/ext-all.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 webapp/content/js/ext/ext-all.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 11 webapp/content/js/ext/ext-all.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1003 webapp/content/js/ext/adapter/ext/ext-base-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1123 webapp/content/js/ext/adapter/ext/ext-base-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1542 webapp/content/js/ext/adapter/ext/ext-base-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1954 webapp/content/js/ext/adapter/ext/ext-base-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1956 webapp/content/js/ext/adapter/ext/ext-base-debug.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2376 webapp/content/js/ext/adapter/ext/ext-base-debug.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 webapp/content/js/ext/adapter/ext/ext-base.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 webapp/content/js/ext/adapter/ext/ext-base.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1 webapp/content/js/ace/worker-javascript.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1 webapp/content/js/ace/worker-javascript.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1 webapp/content/js/ace/ace.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1 webapp/content/js/ace/ace.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1 webapp/content/js/ace/ace.js
Missing Security Features
Issue Description
Missing Security Header - X-Frame-Options (XFO) X-Frame-Options (XFO) header provides protection against Clickjacking attacks.
Missing Security Header - Content-Security-Policy (CSP) Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
Missing Security Header - Strict-Transport-Security (HSTS) Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
Missing 'httpOnly' in Cookie JavaScript can access Cookies if they are not marked httpOnly.
Infromation Disclosure - X-Powered-By Remove the X-Powered-By header to prevent information gathering.
Missing Security Header - X-Content-Type-Options X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
Missing Security Header - X-Download-Options: noopen X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
Missing Security Header - X-XSS-Protection:1 X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Missing Security Header - Public-Key-Pins (HPKP) Public-Key-Pins (HPKP) ensures that certificate is Pinned.
Outdated Libraries
File Library Reference