secure-code-warrior-for-github[bot]
commented
1 year ago Micro-Learning Topic: Improper Control of Generation of Code ('Code Injection') (CWE 94)
Matched on "CWE-94"
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Testing for Code Injection - This article is focused on providing testing techniques for identifying code injection flaws in your applications.
- OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
Micro-Learning Topic: Improper Certificate Validation (CWE 295)
Matched on "CWE-295"
The software does not validate, or incorrectly validates, a certificate.
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Code injection (Detected by phrase)
Matched on "Code Injection"
Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Testing for Code Injection - This article is focused on providing testing techniques for identifying code injection flaws in your applications.
- OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
Micro-Learning Topic: Improper control of generation of code (Detected by phrase)
Matched on "Improper Control of Generation of Code"
Treating externally controlled strings as code can allow an attacker to execute malicious code.
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Testing for Code Injection - This article is focused on providing testing techniques for identifying code injection flaws in your applications.
- OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
Depshield will be deprecated soon
Please install our new product, Sonatype Lift with advanced features
Vulnerabilities
DepShield reports that this application's usage of xmlhttprequest-ssl:1.5.5 results in the following vulnerability(s):
Occurrences
xmlhttprequest-ssl:1.5.5 is a transitive dependency introduced by the following direct dependency(s):
• browser-sync:2.26.13 └─ socket.io:2.1.1 └─ socket.io-client:2.1.1 └─ engine.io-client:3.2.1 └─ xmlhttprequest-ssl:1.5.5
• webpack-dashboard:3.2.1 └─ socket.io-client:2.2.0 └─ engine.io-client:3.3.2 └─ xmlhttprequest-ssl:1.5.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.