 High | Code Injection |
CWE-94
|
contributions.js:33
| 1 | 2024-03-05 02:41am |
 Vulnerable Code
|
this.handleContributionsUpdate = (req, res, next) => { |
|
|
|
/*jslint evil: true */ |
|
// Insecure use of eval() to parse inputs |
|
const preTax = eval(req.body.preTax); |
|
const afterTax = eval(req.body.afterTax); |
1 Data Flow/s detected
|
app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); |
|
this.handleContributionsUpdate = (req, res, next) => { |
|
const afterTax = eval(req.body.afterTax); |
|
| |
| High | Code Injection |
CWE-94
|
contributions.js:32
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
|
|
this.handleContributionsUpdate = (req, res, next) => { |
|
|
|
/*jslint evil: true */ |
|
// Insecure use of eval() to parse inputs |
|
const preTax = eval(req.body.preTax); |
1 Data Flow/s detected
|
app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); |
|
this.handleContributionsUpdate = (req, res, next) => { |
|
const preTax = eval(req.body.preTax); |
|
| |
| High | Code Injection |
CWE-94
|
error.js:10
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
"use strict"; |
|
|
|
console.error(err.message); |
|
console.error(err.stack); |
|
res.status(500); |
|
res.render("error-template", { |
1 Data Flow/s detected
|
const errorHandler = (err, req, res,next) => { |
|
res.render("error-template", { |
|
| |
| High | Code Injection |
CWE-94
|
profile.js:65
| 7 | 2024-03-05 02:41am |
Vulnerable Code
|
// Allow only numbers with a suffix of the letter #, for example: 'XXXXXX#' |
|
const testComplyWithRequirements = regexPattern.test(bankRouting); |
|
// if the regex test fails we do not allow saving |
|
if (testComplyWithRequirements !== true) { |
|
const firstNameSafeString = firstName |
|
return res.render("profile", { |
7 Data Flow/s detected
View Data Flow 1
|
app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); |
|
this.handleProfileUpdate = (req, res, next) => { |
|
return res.render("profile", { |
View Data Flow 2
|
app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); |
|
this.handleProfileUpdate = (req, res, next) => { |
|
return res.render("profile", { |
View Data Flow 3
|
app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); |
|
this.handleProfileUpdate = (req, res, next) => { |
|
return res.render("profile", { |
View more Data Flows
|
| |
| High | Code Injection |
CWE-94
|
contributions.js:34
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
|
|
/*jslint evil: true */ |
|
// Insecure use of eval() to parse inputs |
|
const preTax = eval(req.body.preTax); |
|
const afterTax = eval(req.body.afterTax); |
|
const roth = eval(req.body.roth); |
1 Data Flow/s detected
|
app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); |
|
this.handleContributionsUpdate = (req, res, next) => { |
|
const roth = eval(req.body.roth); |
|
| |
| High | Path/Directory Traversal |
CWE-22
|
index.js:88
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
|
|
app.get("/tutorial/:page", (req, res) => { |
|
const { |
|
page |
|
} = req.params |
|
return res.render(`tutorial/${page}`, { |
1 Data Flow/s detected
|
app.get("/tutorial/:page", (req, res) => { |
|
return res.render(`tutorial/${page}`, { |
|
| |
| High | NoSQL Injection |
CWE-943
|
user-dao.js:91
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
noSuchUserError.noSuchUser = true; |
|
callback(noSuchUserError, null); |
|
} |
|
} |
|
|
|
usersCol.findOne({ |
1 Data Flow/s detected
|
app.post("/login", sessionHandler.handleLoginRequest); |
|
this.handleLoginRequest = (req, res, next) => { |
|
userDAO.validateLogin(userName, password, (err, user) => { |
|
this.validateLogin = (userName, password, callback) => { |
|
| |
| High | NoSQL Injection |
CWE-943
|
memos-dao.js:23
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
const memos = { |
|
memo, |
|
timestamp: new Date() |
|
}; |
|
|
|
memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); |
1 Data Flow/s detected
|
app.post("/memos", isLoggedIn, memosHandler.addMemos); |
|
this.addMemos = (req, res, next) => { |
|
memosDAO.insert(req.body.memo, (err, docs) => { |
|
this.insert = (memo, callback) => { |
|
memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); |
|
| |
| High | Server Side Request Forgery |
CWE-918
|
research.js:16
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
|
|
this.displayResearch = (req, res) => { |
|
|
|
if (req.query.symbol) { |
|
const url = req.query.url + req.query.symbol; |
|
return needle.get(url, (error, newResponse, body) => { |
1 Data Flow/s detected
|
app.get("/research", isLoggedIn, researchHandler.displayResearch); |
|
this.displayResearch = (req, res) => { |
|
const url = req.query.url + req.query.symbol; |
|
return needle.get(url, (error, newResponse, body) => { |
|
| |
| High | NoSQL Injection |
CWE-943
|
user-dao.js:104
| 1 | 2024-03-05 02:41am |
Vulnerable Code
|
_id: parseInt(userId) |
|
}, callback); |
|
}; |
|
|
|
this.getUserByUserName = (userName, callback) => { |
|
usersCol.findOne({ |
1 Data Flow/s detected
|
app.post("/signup", sessionHandler.handleSignup); |
|
this.handleSignup = (req, res, next) => { |
|
if (validateSignup(userName, firstName, lastName, password, verify, email, errors)) { |
|
const validateSignup = (userName, firstName, lastName, password, verify, email, errors) => { |
|
if (validateSignup(userName, firstName, lastName, password, verify, email, errors)) { |
|
userDAO.getUserByUserName(userName, (err, user) => { |
|
this.getUserByUserName = (userName, callback) => { |
|
High
Medium
Low