ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!
| Issue | Description | Line | File |
|---|---|---|---|
| Remote OS Command Execution | User controlled data in 'child_process.exec()' can result in Remote OS Command Execution. | 2 | internals/scripts/npmcheckversion.js |
| Remote OS Command Execution | User controlled data in 'child_process.exec()' can result in Remote OS Command Execution. | 4 | internals/scripts/setup.js |
| Server Side Injection(SSI) - setTimeout() | User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). | 21 | internals/scripts/setup.js |
| Server Side Injection(SSI) - setInterval() | User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). | 15 | internals/scripts/helpers/progress.js |
| Remote OS Command Execution | User controlled data in 'child_process.exec()' can result in Remote OS Command Execution. | 4 | internals/generators/language/index.js |
| Username Hardcoded | A hardcoded username in plain text was identified. Store it properly in a config file. | 27 | app/containers/App/tests/selectors.test.js |
| Username Hardcoded | A hardcoded username in plain text was identified. Store it properly in a config file. | 29 | app/containers/App/tests/actions.test.js |
| Username Hardcoded | A hardcoded username in plain text was identified. Store it properly in a config file. | 41 | app/containers/App/tests/reducer.test.js |
| Username Hardcoded | A hardcoded username in plain text was identified. Store it properly in a config file. | 12 | app/containers/HomePage/constants.js |
| Username Hardcoded | A hardcoded username in plain text was identified. Store it properly in a config file. | 25 | app/containers/HomePage/tests/selectors.test.js |
| Username Hardcoded | A hardcoded username in plain text was identified. Store it properly in a config file. | 17 | app/containers/HomePage/tests/sagas.test.js |
| Issue | Description |
|---|---|
| Missing Security Header - X-Frame-Options (XFO) | X-Frame-Options (XFO) header provides protection against Clickjacking attacks. |
| Missing Security Header - Content-Security-Policy (CSP) | Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found. |
| Use Strict | Strict Mode allows you to place a program, or a function, in a "strict" operating context. This strict context prevents certain actions from being taken and throws more exceptions. |
| Missing Security Header - Strict-Transport-Security (HSTS) | Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server. |
| Missing 'httpOnly' in Cookie | JavaScript can access Cookies if they are not marked httpOnly. |
| Infromation Disclosure - X-Powered-By | Remove the X-Powered-By header to prevent information gathering. |
| Missing Security Header - X-Content-Type-Options | X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. |
| Missing Security Header - X-Download-Options: noopen | X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context. |
| Missing Security Header - X-XSS-Protection:1 | X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers. |
| Missing Security Header - Public-Key-Pins (HPKP) | Public-Key-Pins (HPKP) ensures that certificate is Pinned. |
| File | Library | Reference |
|---|