components/bin/build javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 92┆ const file = path.join(dir, item); ⋮┆---------------------------------------- 92┆ const file = path.join(dir, item); ⋮┆---------------------------------------- 94┆ const stat = fs.statSync(path.resolve(base, file)); ⋮┆---------------------------------------- 94┆ const stat = fs.statSync(path.resolve(base, file)); ⋮┆---------------------------------------- 113┆ const root = path.resolve(base, dir); ⋮┆---------------------------------------- 113┆ const root = path.resolve(base, dir); ⋮┆---------------------------------------- 129┆ const file = fs.readFileSync(path.resolve(base, name)).toString(); ⋮┆---------------------------------------- 129┆ const file = fs.readFileSync(path.resolve(base, name)).toString(); ⋮┆---------------------------------------- 210┆ const fulldir = path.resolve(LIB, dir); ⋮┆---------------------------------------- 226┆ fs.writeFileSync(path.resolve(LIB, dir, name.replace(/\.ts$/, '.js')), lines.join('\n') + '\n'); ⋮┆---------------------------------------- 328┆ const file = path.join(dir, name); ⋮┆---------------------------------------- 328┆ const file = path.join(dir, name); components/bin/copy javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 57┆ const copy = path.resolve(from, name); ⋮┆---------------------------------------- 57┆ const copy = path.resolve(from, name); ⋮┆---------------------------------------- 58┆ const dest = path.resolve(to, name); ⋮┆---------------------------------------- 58┆ const dest = path.resolve(to, name); components/bin/makeAll javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 72┆ const fulldir = path.resolve(dir); ⋮┆---------------------------------------- 100┆ const file = path.join(dir, name); ⋮┆---------------------------------------- 100┆ const file = path.join(dir, name); ⋮┆---------------------------------------- 113┆ const file = path.join(dir, 'build.json'); ⋮┆---------------------------------------- 133┆ const file = path.join(dir, 'webpack.config.js'); ⋮┆---------------------------------------- 153┆ const file = path.join(dir, 'copy.json'); components/bin/pack javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `name` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 37┆ return new RegExp(name.replace(/([\\.{}[\]()?*^$])/g, '\\$1'), 'g'); ⋮┆---------------------------------------- javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 81┆ const dirRE = fileRegExp(path.resolve(dir)); ⋮┆---------------------------------------- 86┆ const jsdir = require(path.resolve(dir, 'webpack.config.js')).plugins[0].definitions.__JSDIR__; ⋮┆---------------------------------------- 88┆ const libRE = fileRegExp(path.resolve(jsdir, '..', 'components')); components/webpack.common.js javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 48┆ const jsdir = path.resolve(dir, js); ⋮┆---------------------------------------- 48┆ const jsdir = path.resolve(dir, js); ⋮┆---------------------------------------- 68┆ const jsdir = path.resolve(dir, js); ⋮┆---------------------------------------- 68┆ const jsdir = path.resolve(dir, js); ⋮┆---------------------------------------- javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `dir` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 69┆ const mjRE = new RegExp('^(?:' + quoteRE(jsdir) + '|' + quoteRE(mjdir) + ')' + quoteRE(path.sep)); ⋮┆---------------------------------------- javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `js` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 69┆ const mjRE = new RegExp('^(?:' + quoteRE(jsdir) + '|' + quoteRE(mjdir) + ')' + quoteRE(path.sep)); ⋮┆---------------------------------------- javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 75┆ libs = libs.map(lib => path.join(lib.charAt(0) === '.' ? dir : root, lib) + path.sep); ⋮┆---------------------------------------- 75┆ libs = libs.map(lib => path.join(lib.charAt(0) === '.' ? dir : root, lib) + path.sep); ⋮┆---------------------------------------- 86┆ resource.request.charAt(0) === '.' ? path.resolve(resource.path, resource.request) : resource.request : ⋮┆---------------------------------------- 86┆ resource.request.charAt(0) === '.' ? path.resolve(resource.path, resource.request) : resource.request : ⋮┆---------------------------------------- javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `dir` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 135┆ test: new RegExp(dirRE + quoteRE(path.sep) + '.*\\.js$'), ⋮┆---------------------------------------- javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 158┆ const distDir = dist ? path.resolve(dir, dist) : ⋮┆---------------------------------------- 158┆ const distDir = dist ? path.resolve(dir, dist) : ⋮┆---------------------------------------- 159┆ path.resolve(path.dirname(js), 'es5', path.dirname(name)); ⋮┆---------------------------------------- 159┆ path.resolve(path.dirname(js), 'es5', path.dirname(name)); ⋮┆---------------------------------------- 163┆ entry: path.join(dir, name + '.js'), ⋮┆---------------------------------------- 163┆ entry: path.join(dir, name + '.js'), ts/a11y/explorer/Region.ts javascript.browser.security.insecure-document-method.insecure-document-method User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities Details: https://sg.run/LwA9 127┆ node.innerHTML = this.CLASS.style.cssText; ts/a11y/explorer.ts javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `locale` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 589┆ 'values': props[prop].map(x => x.replace(RegExp('^' + prop + '_'), '')), ts/input/asciimath/FindAsciiMath.ts javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `delims` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 100┆ this.end[open] = [close, display, new RegExp(quotePattern(close), 'g')]; ts/input/asciimath/mathjax2/legacy/MathJax.js javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution- loop Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object. Details: https://sg.run/w1DB 685┆ {if (file.hasOwnProperty(i)) {type = i.toUpperCase(); file = file[i]}} ⋮┆---------------------------------------- 706┆ {if (file.hasOwnProperty(i)) {type = i.toUpperCase(); file = file[i]}} ⋮┆---------------------------------------- 726┆ {for (var i in file) {if (file.hasOwnProperty(i)) {file = file[i]}}} ⋮┆---------------------------------------- 1639┆ parent = config; config = config[id]; ts/input/tex/FindTeX.ts javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `end` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 158┆ return new RegExp((endp || quotePattern(end)) + '|\\\\(?:[a-zA-Z]|.)|[{}]', 'g'); ⋮┆---------------------------------------- javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `endp` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 158┆ return new RegExp((endp || quotePattern(end)) + '|\\\\(?:[a-zA-Z]|.)|[{}]', 'g'); ts/input/tex/base/BaseMethods.ts javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `parser` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. Details: https://sg.run/gr65 1162┆ const end = (env ? new RegExp(`^\\\\end\\s*\\{${env.replace(/\*/, '\\*')}\\}`) : null); ts/ui/menu/Menu.ts javascript.lang.security.insecure-object-assign.insecure-object-assign Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability. Details: https://sg.run/2R0D 622┆ Object.assign(this.settings, JSON.parse(settings)); ts/util/asyncLoad/node.ts javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve- traversal Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. Details: https://sg.run/OPqk 34┆ return require(name.charAt(0) === '.' ? path.resolve(root, name) : name);