Code Security Report

Scan Metadata

Latest Scan: 2024-03-05 02:41am Total Findings: 16 | New Findings: 16 | Resolved Findings: 16 Tested Project Files: 50 Detected Programming Languages: 1 (JavaScript / TypeScript*)

[ ] Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[contributions.js:33](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L33)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L28-L33 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L54 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L28 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L33

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[contributions.js:32](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L32)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L27-L32 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L54 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L28 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L32

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[error.js:10](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/error.js#L10)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/error.js#L5-L10 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L97 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/error.js#L3 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/error.js#L11 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/error.js#L10

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[profile.js:65](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L65)	7	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L60-L65 7 Data Flow/s detected View Data Flow 1 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L50 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L40 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L45 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L69 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L65 View Data Flow 2 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L50 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L40 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L44 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L68 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L65 View Data Flow 3 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L50 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L40 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L46 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L70 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/profile.js#L65 [View more Data Flows](https://saas.mend.io/app/orgs/DimaPoCSandbox/scans/9742b22e-e77c-4a68-8ad5-6d27db820ef0/sast?project=da395bda-096d-4a72-aca9-5e3dd4d257ac&findingSnapshotId=42335953-dacb-4dc1-86db-d84a69225685&filtered=yes)

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[contributions.js:34](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L34)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L29-L34 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L54 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L28 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/contributions.js#L34

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[index.js:88](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L88)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L83-L88 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L84 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L86 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L88

High	NoSQL Injection	[CWE-943](https://cwe.mitre.org/data/definitions/943.html)	[user-dao.js:91](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L91)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L86-L91 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L36 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L51 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L53 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L56 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L57 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L92 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L91

High	NoSQL Injection	[CWE-943](https://cwe.mitre.org/data/definitions/943.html)	[memos-dao.js:23](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/memos-dao.js#L23)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/memos-dao.js#L18-L23 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L69 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/memos.js#L11 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/memos.js#L13 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/memos-dao.js#L15 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/memos-dao.js#L19 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/memos-dao.js#L23

High	Server Side Request Forgery	[CWE-918](https://cwe.mitre.org/data/definitions/918.html)	[research.js:16](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/research.js#L16)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/research.js#L11-L16 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L94 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/research.js#L12 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/research.js#L15 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/research.js#L16

High	NoSQL Injection	[CWE-943](https://cwe.mitre.org/data/definitions/943.html)	[user-dao.js:104](https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L104)	1	2024-03-05 02:41am
Vulnerable Code https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L99-L104 1 Data Flow/s detected https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/index.js#L40 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L183 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L187 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L200 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L132 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L200 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/routes/session.js#L202 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L103 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L105 https://github.com/DimaMend/NodeGoat/blob/b6cc31553629d120f2eb3b9d5e75b3ec3ebf7ece/app/data/user-dao.js#L104

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Server Side Request Forgery	CWE-918	JavaScript / TypeScript*	1
High	NoSQL Injection	CWE-943	JavaScript / TypeScript*	4
High	Path/Directory Traversal	CWE-22	JavaScript / TypeScript*	1
High	Code Injection	CWE-94	JavaScript / TypeScript*	5
Medium	Regex Denial of Service (ReDoS)	CWE-1333	JavaScript / TypeScript*	1
Low	Log Forging	CWE-117	JavaScript / TypeScript*	2
Low	Sensitive Cookie Without Secure	CWE-614	JavaScript / TypeScript*	1
Low	Unvalidated/Open Redirect	CWE-601	JavaScript / TypeScript*	1

DimaMend / NodeGoat

Code Security Report: 11 high severity findings, 16 total findings #18

Code Security Report

Scan Metadata

Most Relevant Findings

Findings Overview