JavaScript and TypeScript rules

Each rule includes the following information.

  • Rule Name: The Snyk name of the rule.

  • CWE(s): The CWE numbers that are covered by this rule.

  • Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.

  • Autofixable: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages.

Rule Name
CWE(s)
Security Categories
Autofixable

Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)

CWE-79

Sans Top 25, OWASP:A03

Yes

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

OWASP:A02

No

Clear Text Sensitive Storage

CWE-200, CWE-312

OWASP:A01, OWASP:A04

No

Code Injection

CWE-94

Sans Top 25, OWASP:A03

Yes

Command Injection

CWE-78

Sans Top 25, OWASP:A03

Yes

Cross-site Scripting (XSS)

CWE-79

Sans Top 25, OWASP:A03

Yes

Deserialization of Untrusted Data

CWE-502

Sans Top 25, OWASP:A08

No

Information Exposure

CWE-200

OWASP:A01

Yes

Electron Disable Security Warnings

CWE-16

OWASP:A05

No

Electron Insecure Web Preferences

CWE-16

OWASP:A05

Yes

Electron Load Insecure Content

CWE-16

OWASP:A05

Yes

Use of Externally-Controlled Format String

CWE-134

None

Yes

GraphQL Injection

CWE-89

Sans Top 25, OWASP:A03

No

Improper Type Validation

CWE-1287

None

Yes

Hardcoded Secret

CWE-547

OWASP:A05

Yes

Cleartext Transmission of Sensitive Information

CWE-319

OWASP:A02

Yes

Improper Code Sanitization

CWE-94, CWE-79, CWE-116

Sans Top 25, OWASP:A03

No

Use of Password Hash With Insufficient Computational Effort

CWE-916

OWASP:A02

Yes

Use of Insufficiently Random Values

CWE-330

OWASP:A02

No

Insecure TLS Configuration

CWE-327

OWASP:A02

Yes

Insufficient postMessage Validation

CWE-20

Sans Top 25, OWASP:A03

Yes

Introspection Enabled

CWE-200

OWASP:A01

No

Insecure JWT Verification Method

CWE-347

OWASP:A02

No

JWT Signature Verification Method Disabled

CWE-347

OWASP:A02

No

JWT 'none' Algorithm Supported

CWE-347

OWASP:A02

No

Denial of Service (DoS) through Nested GraphQL Queries

CWE-400

None

Yes

Unchecked Input for Loop Condition

CWE-400, CWE-606

None

No

Observable Timing Discrepancy (Timing Attack)

CWE-208

None

No

Use of Hardcoded Credentials

CWE-798

Sans Top 25, OWASP:A07

Yes

Use of Hardcoded Passwords

CWE-798, CWE-259

Sans Top 25, OWASP:A07

Yes

Allocation of Resources Without Limits or Throttling

CWE-770

None

Yes

NoSQL Injection

CWE-943

None

No

Buffer Over-read

CWE-126

None

No

Open Redirect

CWE-601

OWASP:A01

Yes

Path Traversal

CWE-23

OWASP:A01

Yes

Prototype Pollution

CWE-1321

None

No

Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks

CWE-79

Sans Top 25, OWASP:A03

Yes

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

OWASP:A07

No

SQL Injection

CWE-89

Sans Top 25, OWASP:A03

Yes

Server-Side Request Forgery (SSRF)

CWE-918

Sans Top 25, OWASP:A10

No

Improper Neutralization of Directives in Statically Saved Code

CWE-96

OWASP:A03

No

Origin Validation Error

CWE-942, CWE-346

OWASP:A05, OWASP:A07

Yes

Permissive Cross-domain Policy

CWE-942

OWASP:A05

Yes

Improper Restriction of Rendered UI Layers or Frames

CWE-1021

OWASP:A04

No

Cryptographic Issues

CWE-310

OWASP:A02

Yes

Unsafe JQuery Plugin

CWE-79, CWE-116

Sans Top 25, OWASP:A03

No

Cross-Site Request Forgery (CSRF)

CWE-352

Sans Top 25, OWASP:A01

Yes

Sensitive Cookie Without 'HttpOnly' Flag

CWE-1004

OWASP:A05

Yes

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-614

OWASP:A05

Yes

XML External Entity (XXE) Injection

CWE-611

OWASP:A05

No

XPath Injection

CWE-643

OWASP:A03

No

Arbitrary File Write via Archive Extraction (Zip Slip)

CWE-22

Sans Top 25, OWASP:A01

No

Regular Expression Denial of Service (ReDoS)

CWE-400

None

Yes

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.