Patched results for branch: master #1
Conversation
![patched-codes[bot]](https://avatars.githubusercontent.com/in/298395?s=60&v=4){kind=small}
|
|
||
| /*jslint evil: true */ | ||
| // Insecure use of eval() to parse inputs | ||
| const preTax = eval(req.body.preTax); |
There was a problem hiding this comment.
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
| /*jslint evil: true */ | ||
| // Insecure use of eval() to parse inputs | ||
| const preTax = eval(req.body.preTax); | ||
| const afterTax = eval(req.body.afterTax); |
There was a problem hiding this comment.
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
| // Handle redirect for learning resources link | ||
| app.get("/learn", isLoggedIn, (req, res) => { | ||
| // Insecure way to handle redirects by taking redirect url from query string | ||
| return res.redirect(req.query.url); |
There was a problem hiding this comment.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
The application redirects to a URL specified by user-supplied input req that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.
| const { | ||
| page | ||
| } = req.params | ||
| return res.render(`tutorial/${page}`, { |
There was a problem hiding this comment.
CWE-706: Use of Incorrectly-Resolved Name or Reference
User controllable data req enters res.render(...) this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. ../folder/index to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in res.render or use an allow list for the existing application.
| <input type="number" min="0" max="99" class="form-control" placeholder="Stocks Threshold" name="threshold" /> | ||
| <p class="help-block">Using above threshold value, it will return all assets allocation above the specified stocks percentage number.</p> | ||
| </div> | ||
|
|
There was a problem hiding this comment.
CWE-352: Cross-Site Request Forgery (CSRF)
Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
| </span> | ||
| </div> | ||
| <!-- /input-group --> | ||
| </form> |
There was a problem hiding this comment.
CWE-352: Cross-Site Request Forgery (CSRF)
Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
| <button type="submit" class="btn btn-danger">Submit</button> | ||
| </div> | ||
| </div> | ||
| </form> |
There was a problem hiding this comment.
CWE-352: Cross-Site Request Forgery (CSRF)
Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
| {% csrf_token %} | ||
| <div class="form-group"> | ||
| <textarea class="form-control" name="memo"></textarea> | ||
| <p class="help-block">You may use Markdown syntax to format your memo</p> |
There was a problem hiding this comment.
CWE-352: Cross-Site Request Forgery (CSRF)
Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
|
|
||
| <!-- @FIXME use a properly escaped variable that matches the URL context, for example | ||
| refer to a firstNameSafeURLString field on the doc object set by the controller for this template --> | ||
| <a href="{{firstNameSafeString}}">Google search this profile by name</a> |
There was a problem hiding this comment.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/{{link}}'. You may also consider setting the Content Security Policy (CSP) header.
| </div> | ||
|
|
||
| <button type="submit" class="btn btn-primary">Submit</button> | ||
| </form> |
There was a problem hiding this comment.
CWE-352: Cross-Site Request Forgery (CSRF)
Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
This is an automated pull request generated by patched.