Keystone Code Review

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues

Issue	Description	Line	File
Remote OS Command Execution	User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.	4	test/helpers/getKeystoneApp.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	233	test/unit/track.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	318	test/unit/track.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	403	test/unit/track.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	480	test/unit/track.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	580	test/unit/track.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	675	test/unit/track.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	44	admin/client/App/screens/Item/components/EditForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	252	admin/client/App/screens/Item/components/EditForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	329	admin/client/App/screens/Item/components/EditForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	342	admin/client/App/screens/Item/components/EditForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	354	admin/client/App/screens/Item/components/EditForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	367	admin/client/App/screens/Item/components/EditForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	106	admin/client/App/screens/Item/components/EditFormHeader.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	62	admin/client/App/screens/Home/actions.js
Key Hardcoded	A hardcoded key in plain text was identified.	108	admin/client/App/screens/List/components/UpdateForm.js
Key Hardcoded	A hardcoded key in plain text was identified.	28	admin/client/App/screens/List/components/ItemsTable/ItemsTable.js
Key Hardcoded	A hardcoded key in plain text was identified.	35	admin/client/App/screens/List/components/ItemsTable/ItemsTable.js
Key Hardcoded	A hardcoded key in plain text was identified.	48	admin/client/App/screens/List/components/ItemsTable/ItemsTableRow.js
Key Hardcoded	A hardcoded key in plain text was identified.	54	admin/client/App/screens/List/components/ItemsTable/ItemsTableRow.js
Key Hardcoded	A hardcoded key in plain text was identified.	56	admin/client/App/screens/List/components/ItemsTable/ItemsTableRow.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	78	admin/client/App/screens/List/components/ItemsTable/ItemsTableDragDropZoneTarget.js
Key Hardcoded	A hardcoded key in plain text was identified.	28	admin/client/App/screens/List/components/Filtering/ListFilters.js
Key Hardcoded	A hardcoded key in plain text was identified.	92	admin/client/App/screens/List/components/Filtering/ListFiltersAdd.js
Key Hardcoded	A hardcoded key in plain text was identified.	104	admin/client/App/screens/List/components/Filtering/ListFiltersAdd.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	105	admin/client/App/screens/List/actions/items.js
Key Hardcoded	A hardcoded key in plain text was identified.	12	admin/client/App/test/App.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	79	admin/client/Signin/Signin.js
Key Hardcoded	A hardcoded key in plain text was identified.	11	admin/client/Signin/components/Alert.js
Key Hardcoded	A hardcoded key in plain text was identified.	13	admin/client/Signin/components/Alert.js
Password Hardcoded	A hardcoded password in plain text was identified. Store it properly in a config file.	65	admin/client/Signin/components/test/LoginForm.test.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	106	admin/public/js/packages.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	106	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	838	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	841	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	843	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	860	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	863	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	865	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1057	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1692	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2638	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3325	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3837	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4005	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4049	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4055	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4770	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5397	admin/public/js/packages.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	8	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	9	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	9	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	50820	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	52141	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	52171	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	52191	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	52677	admin/public/js/lib/codemirror/codemirror-compressed.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	421	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - new Function()	User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	569	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	927	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	962	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4007	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - eval()	User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4282	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - eval()	User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4484	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	8129	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	8788	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	8872	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	9520	admin/public/js/lib/jquery/jquery-1.10.2.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	4	admin/public/js/lib/jquery/jquery-1.10.2.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	5	admin/public/js/lib/jquery/jquery-1.10.2.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6	admin/public/js/lib/jquery/jquery-1.10.2.min.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	6	admin/public/js/lib/jquery/jquery-1.10.2.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	103	admin/public/js/lib/jqueryfileupload/jquery.iframe-transport.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	437	admin/public/js/lib/jqueryfileupload/vendor/jquery.ui.widget.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	2	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	3	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	9	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	9	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	10	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	11	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	12	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	13	admin/public/js/lib/tinymce/tinymce.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1027	admin/public/js/lib/tinymce/classes/Editor.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	174	admin/public/js/lib/tinymce/classes/FocusManager.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	104	admin/public/js/lib/tinymce/classes/NodeChange.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	174	admin/public/js/lib/tinymce/classes/dom/EventUtils.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	555	admin/public/js/lib/tinymce/classes/dom/ControlSelection.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	78	admin/public/js/lib/tinymce/classes/dom/StyleSheetLoader.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	46	admin/public/js/lib/tinymce/classes/ui/Throbber.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	27	admin/public/js/lib/tinymce/classes/ui/ReflowQueue.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	238	admin/public/js/lib/tinymce/classes/ui/FloatPanel.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	70	admin/public/js/lib/tinymce/classes/ui/Iframe.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	70	admin/public/js/lib/tinymce/classes/ui/Window.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	334	admin/public/js/lib/tinymce/classes/ui/Window.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	380	admin/public/js/lib/tinymce/classes/ui/Window.js
Key Hardcoded	A hardcoded key in plain text was identified.	42	admin/public/js/lib/tinymce/classes/util/LocalStorage.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	710	admin/public/js/lib/tinymce/classes/util/Quirks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	736	admin/public/js/lib/tinymce/classes/util/Quirks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	912	admin/public/js/lib/tinymce/classes/util/Quirks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	996	admin/public/js/lib/tinymce/classes/util/Quirks.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	55	admin/public/js/lib/tinymce/classes/util/XHR.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	100	admin/public/js/lib/tinymce/classes/util/XHR.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	26	admin/public/js/lib/tinymce/classes/util/Promise.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	172	admin/public/js/lib/tinymce/plugins/compat3x/tiny_mce_popup.js
Server Side Injection(SSI) - eval()	User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	192	admin/public/js/lib/tinymce/plugins/compat3x/tiny_mce_popup.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	324	admin/public/js/lib/tinymce/plugins/compat3x/tiny_mce_popup.js
Server Side Injection(SSI) - setInterval()	User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1	admin/public/js/lib/tinymce/plugins/autosave/plugin.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1	admin/public/js/lib/tinymce/plugins/tabfocus/plugin.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	532	admin/public/js/lib/tinymce/plugins/paste/classes/Clipboard.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	204	admin/public/js/lib/tinymce/plugins/imagetools/classes/Plugin.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	1	admin/public/js/lib/tinymce/plugins/table/plugin.min.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	171	admin/public/js/lib/tinymce/plugins/table/classes/Quirks.js
Weak Hash used - MD5	MD5 is a a weak hash which is known to have collision. Use a strong hashing function.	112	admin/server/middleware/browserify.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	75	fields/types/number/NumberFilter.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	86	fields/types/date/DateFilter.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	90	fields/types/date/DateFilter.js
Key Hardcoded	A hardcoded key in plain text was identified.	25	fields/types/cloudinaryimages/CloudinaryImagesColumn.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	741	fields/types/markdown/lib/bootstrap-markdown.js
Key Hardcoded	A hardcoded key in plain text was identified.	30	fields/types/embedly/EmbedlyField.js
Key Hardcoded	A hardcoded key in plain text was identified.	38	fields/types/embedly/EmbedlyField.js
Key Hardcoded	A hardcoded key in plain text was identified.	73	fields/types/embedly/EmbedlyField.js
Key Hardcoded	A hardcoded key in plain text was identified.	206	fields/types/s3file/S3FileType.js
Key Hardcoded	A hardcoded key in plain text was identified.	207	fields/types/s3file/S3FileType.js
Key Hardcoded	A hardcoded key in plain text was identified.	34	fields/types/localfiles/LocalFilesField.js
Key Hardcoded	A hardcoded key in plain text was identified.	46	fields/types/localfiles/LocalFilesField.js
Key Hardcoded	A hardcoded key in plain text was identified.	48	fields/types/localfiles/LocalFilesField.js
Key Hardcoded	A hardcoded key in plain text was identified.	53	fields/types/localfiles/LocalFilesField.js
Key Hardcoded	A hardcoded key in plain text was identified.	54	fields/types/localfiles/LocalFilesField.js
Key Hardcoded	A hardcoded key in plain text was identified.	34	fields/types/relationship/RelationshipColumn.js
Key Hardcoded	A hardcoded key in plain text was identified.	193	fields/types/relationship/RelationshipField.js
Key Hardcoded	A hardcoded key in plain text was identified.	198	fields/types/relationship/RelationshipField.js
Weak Hash used - MD5	MD5 is a a weak hash which is known to have collision. Use a strong hashing function.	36	fields/types/email/EmailType.js
Server Side Injection(SSI) - setTimeout()	User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).	83	fields/types/datearray/DateArrayFilter.js
Key Hardcoded	A hardcoded key in plain text was identified.	24	lib/core/initExpressSession.js
Key Hardcoded	A hardcoded key in plain text was identified.	11	lib/security/csrf.js
Key Hardcoded	A hardcoded key in plain text was identified.	12	lib/security/csrf.js
Key Hardcoded	A hardcoded key in plain text was identified.	16	lib/security/csrf.js
Key Hardcoded	A hardcoded key in plain text was identified.	17	lib/security/csrf.js
Key Hardcoded	A hardcoded key in plain text was identified.	18	lib/security/csrf.js
Weak Hash used - SHA1	SHA1 is a a weak hash which is known to have collision. Use a strong hashing function.	21	lib/security/csrf.js

Issue	Description
Missing Security Header - Strict-Transport-Security (HSTS)	Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
Infromation Disclosure - X-Powered-By	Remove the X-Powered-By header to prevent information gathering.
Missing Security Header - X-Content-Type-Options	X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
Missing Security Header - X-Download-Options: noopen	X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
Missing Security Header - X-XSS-Protection:1	X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Missing Security Header - Public-Key-Pins (HPKP)	Public-Key-Pins (HPKP) ensures that certificate is Pinned.

Node.Security

Security Audit of Keystone