secure-code-warrior-for-github[bot]
commented
2 years ago Micro-Learning Topic: Improper Control of Generation of Code ('Code Injection') (CWE 94)
Matched on "CWE-94"
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Try this challenge in Secure Code Warrior
Micro-Learning Topic: Code injection (Detected by phrase)
Matched on "Code Injection"
Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.
Vulnerabilities
DepShield reports that this application's usage of handlebars:4.7.6 results in the following vulnerability(s):
Occurrences
handlebars:4.7.6 is a transitive dependency introduced by the following direct dependency(s):
• react-scripts:3.1.1 └─ jest:24.8.0 └─ jest-cli:24.9.0 └─ @jest/core:24.9.0 └─ @jest/reporters:24.9.0 └─ istanbul-reports:2.2.6 └─ handlebars:4.7.6
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.