Page MenuHomePhabricator
Files F34824396

vue3-2021-semgrep-p-nodejsscant.txt
sbassett (Scott Bassett)
Actions

Authored By
sbassett
Dec 3 2021, 9:53 PM
Size
5 KB
Referenced Files
None
Subscribers
None

vue3-2021-semgrep-p-nodejsscant.txt
View Options

packages/compiler-core/src/parse.ts
rule:ajinabraham.njsscan.regex_dos.regex_dos: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. Details: https://sg.run/eLgR
418: __TEST__ && assert(/^<[a-z]/i.test(context.source))
--------------------------------------------------------------------------------
520: __TEST__ && assert(/^<\/?[a-z]/i.test(context.source))
--------------------------------------------------------------------------------
650: /^[A-Z]/.test(tag) ||
--------------------------------------------------------------------------------
735: if (/^[^\t\r\n\f />]/.test(context.source)) {
--------------------------------------------------------------------------------
747: __TEST__ && assert(/^[^\t\r\n\f />]/.test(context.source))
--------------------------------------------------------------------------------
779: if (/^[\t\r\n\f ]*=/.test(context.source)) {
packages/compiler-core/src/transforms/vOn.ts
rule:ajinabraham.njsscan.regex_dos.regex_dos: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. Details: https://sg.run/eLgR
68: let exp: ExpressionNode | undefined = dir.exp as
69: | SimpleExpressionNode
70: | undefined
71: if (exp && !exp.content.trim()) {
72: exp = undefined
73: }
74: let shouldCache: boolean = context.cacheHandlers && !exp && !context.inVOnce
75: if (exp) {
76: const isMemberExp = isMemberExpression(exp.content, context)
77: const isInlineStatement = !(isMemberExp || fnExpRE.test(exp.content))
-------- [hid 69 additional lines, adjust with --max-lines-per-finding] --------
packages/compiler-core/src/validateExpression.ts
rule:ajinabraham.njsscan.eval_node.eval_nodejs: User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection Details: https://sg.run/3x6D
35: const exp = node.content
36:
37: // empty expressions are validated per-directive since some directives
38: // do allow empty expressions.
39: if (!exp.trim()) {
40: return
41: }
42:
43: try {
44: new Function(
-------- [hid 21 additional lines, adjust with --max-lines-per-finding] --------
packages/compiler-dom/src/transforms/stringifyStatic.ts
rule:ajinabraham.njsscan.regex_dos.regex_dos: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. Details: https://sg.run/eLgR
149: : false) || dataAriaRE.test(name)
packages/compiler-sfc/__tests__/parse.spec.ts
rule:ajinabraham.njsscan.crypto_node.node_insecure_random_generator: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. Details: https://sg.run/1Zlk
9: const padding = Math.round(Math.random() * 10)
--------------------------------------------------------------------------------
24: const padding = Math.round(Math.random() * 10)
--------------------------------------------------------------------------------
38: const padding = Math.round(Math.random() * 10)
packages/compiler-sfc/src/compileScript.ts
rule:ajinabraham.njsscan.regex_dos.regex_dos: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. Details: https://sg.run/eLgR
615: const argumentStr = source.slice(
616: argumentStart + startOffset,
617: node.argument.end! + startOffset
618: )
619:
620: const containsNestedAwait = /\bawait\b/.test(argumentStr)
packages/compiler-sfc/src/parse.ts
rule:ajinabraham.njsscan.regex_dos.regex_dos: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. Details: https://sg.run/eLgR
355: if (!emptyRE.test(line)) {
packages/runtime-core/__tests__/rendererChildren.spec.ts
rule:ajinabraham.njsscan.crypto_node.node_insecure_random_generator: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. Details: https://sg.run/1Zlk
29: randomIndex = Math.floor(Math.random() * currentIndex)
--------------------------------------------------------------------------------
337: opacities[i] = Math.random().toFixed(5).toString()
rollup.config.js
rule:ajinabraham.njsscan.regex_dos.regex_dos: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. Details: https://sg.run/eLgR
85: const isBundlerESMBuild = /esm-bundler/.test(format)
--------------------------------------------------------------------------------
86: const isBrowserESMBuild = /esm-browser/.test(format)
--------------------------------------------------------------------------------
88: const isGlobalBuild = /global/.test(format)
--------------------------------------------------------------------------------
121: let entryFile = /runtime$/.test(format) ? `src/runtime.ts` : `src/index.ts`
--------------------------------------------------------------------------------
127: entryFile = /runtime$/.test(format)
--------------------------------------------------------------------------------
209: if (!/Circular/.test(msg)) {

File Metadata

Mime Type
text/plain
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9278117
Default Alt Text
vue3-2021-semgrep-p-nodejsscant.txt (5 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL