Vulnerabilities Dashboard - Code

[flatfile-nullify]

Severity Threshold: 🔵 MEDIUM

29 Potential vulnerability sources found within this repo

🔴 CRITICAL	🟡 HIGH	🔵 MEDIUM	⚪ LOW
0	7	22	0

ID: 01J7P1X7TZE89D7QCEV1EMDF7M Language: TypeScript Severity: 🟡 HIGH CWE-798

Node secret

A hardcoded secret is identified. Store it properly in an environment variable.

flatfile-core-libraries/packages/cli/src/index.ts

Lines 112 to 120 in 1ab100d

	program
	.command('init')
	.description('Initialize a project')
	.option('-e, --environment <env>', 'the Environment to publish to')
	.option('-k, --key <key>', 'the API Key to use')
	// TODO: clean up clientId vs. key across v3 vs x implementations
	.option('-c, --clientId <clientId>', 'the clientId to use')
	.option('-n, --name <name>', 'the name of the your project')
	.option('-s, --secret <secret>', 'the API Secret to use')

ID: 01J7P1X7TZE89D7QCF0KEPH032 Language: TypeScript Severity: 🟡 HIGH CWE-918

Rules lgpl javascript ssrf rule node ssrf

This application allows user-controlled URLs to be passed directly to HTTP client libraries.
This can result in Server-Side Request Forgery (SSRF).
SSRF refers to an attack where the attacker can abuse functionality on
the server to force it to make requests to other internal systems within your
infrastructure that are not directly exposed to the internet.
This allows the attacker to access internal resources they do not have direct access to.

Some risks of SSRF are:

• Access and manipulation of internal databases, APIs, or administrative panels
• Ability to scan internal network architecture and services
• Can be used to pivot attacks into the internal network
• Circumvent network segregation and firewall rules

To avoid this, try using hardcoded HTTP request calls or a whitelisting object to
check whether the user input is trying to access allowed resources or not.

Here is an example:

var whitelist = [
  "https://example.com", 
  "https://example.com/sample"
]

app.get('/ssrf/node-ssrf/axios/safe/3', function (req, res) {
  if(whitelist.includes(req.query.url)){
      axios.get(url, {})
          .then(function (response) {
              console.log(response);
          })
          .catch(function (response) {
              console.log(response);  
          })
  }
});

For more information on SSRF see OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

flatfile-core-libraries/packages/listener/src/events/authenticated.client.ts

Line 39 in 1ab100d

const response = await fetch(fetchUrl, fetchOptions)

ID: 01J7P1X7TZE89D7QCEV6JG659B Language: TypeScript Severity: 🟡 HIGH CWE-798

Node api key

A hardcoded API Key is identified. Store it properly in an environment variable.

flatfile-core-libraries/packages/cli/src/legacy/utilities/access.token.ts

Lines 5 to 6 in 1ab100d

	const API_KEY_DOCS_URL =
	'https://support.flatfile.com/en/articles/7873661-how-do-i-configure-new-api-keys-in-the-flatfile-data-exchange-platform'

ID: 01JCRPQ87C2BGT6A3M56JZPHDH Language: JavaScript Severity: 🟡 HIGH CWE-918

Server-Side Request Forgery (SSRF)

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).

Read more:
https://cwe.mitre.org/data/definitions/918.html

flatfile-core-libraries/packages/cli/src/x/files/agent.js

Lines 311 to 323 in 1ab100d

	return axios.put(
	`v1/workbooks/${workbookId}/sheets/${sheetId}/records`,
	records.map((record) => {
	record.values = Object.entries(record.values).reduce(
	(acc, [key, value]) => {
	acc[key] = value
	return acc
	},
	{}
	)
	return record
	})
	)

ID: 01JCRPQ87C2BGT6A3M54J579F1 Language: JavaScript Severity: 🟡 HIGH CWE-918

Server-Side Request Forgery (SSRF)

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).

Read more:
https://cwe.mitre.org/data/definitions/918.html

flatfile-core-libraries/packages/cli/src/x/files/agent.js

Lines 294 to 297 in 1ab100d

	return axios
	.get(
	`v1/workbooks/${workbookId}/sheets/${sheetId}/records?versionId=${versionId}`
	)

ID: 01J7P1X7TZE89D7QCEV4QD20AK Language: TypeScript Severity: 🟡 HIGH CWE-798

Node secret

A hardcoded secret is identified. Store it properly in an environment variable.

flatfile-core-libraries/packages/cli/src/index.ts

Lines 132 to 137 in 1ab100d

	program
	.command('create:env')
	.description('Create an Environment')
	.option('-n, --name <name>', 'the name of the environment to create')
	.option('-k, --key <key>', 'the API Key to use')
	.option('-s, --secret <secret>', 'the API Secret to use')

ID: 01JC3VWCMTQ46DA9ZEWZTZ5DHB Language: TypeScript Severity: 🟡 HIGH CWE-918

Rules lgpl javascript ssrf rule node ssrf

This application allows user-controlled URLs to be passed directly to HTTP client libraries.
This can result in Server-Side Request Forgery (SSRF).
SSRF refers to an attack where the attacker can abuse functionality on
the server to force it to make requests to other internal systems within your
infrastructure that are not directly exposed to the internet.
This allows the attacker to access internal resources they do not have direct access to.

Some risks of SSRF are:

• Access and manipulation of internal databases, APIs, or administrative panels
• Ability to scan internal network architecture and services
• Can be used to pivot attacks into the internal network
• Circumvent network segregation and firewall rules

To avoid this, try using hardcoded HTTP request calls or a whitelisting object to
check whether the user input is trying to access allowed resources or not.

Here is an example:

var whitelist = [
  "https://example.com", 
  "https://example.com/sample"
]

app.get('/ssrf/node-ssrf/axios/safe/3', function (req, res) {
  if(whitelist.includes(req.query.url)){
      axios.get(url, {})
          .then(function (response) {
              console.log(response);
          })
          .catch(function (response) {
              console.log(response);  
          })
  }
});

For more information on SSRF see OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

flatfile-core-libraries/packages/configure/src/utils/authenticated.client.ts

Line 42 in 1ab100d

return fetch(fetchUrl, {

ID: 01J7P1X7TZE89D7QCEWA63MMCS Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

flatfile-core-libraries/packages/cli/src/x/actions/develop.action.ts

Line 25 in 1ab100d

if (!fs.existsSync(outDir)) {

ID: 01J6DH83ZZ97W0Y727MT5NP4E2 Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The vulnerability is a potential path traversal issue in the file 'packages/cli/src/x/actions/publish.pubsub.ts'. On line 141, the code uses path.join(outDir, 'build.js') to create a file path. If 'outDir' is user-controlled or externally provided without proper sanitization, it could potentially be manipulated to access files outside the intended directory.

flatfile-core-libraries/packages/cli/src/x/actions/publish.pubsub.ts

Line 141 in 1ab100d

const buffer = fs.readFileSync(buildFile)

ID: 01J6DH83ZZ97W0Y727SQ3BM945 Language: TypeScript Severity: 🔵 MEDIUM CWE-185

Javascript dos rule non literal regexp

The testRegex function in util.ts uses a RegExp constructor with non-literal values (regexString and flags). This practice can lead to Regular Expression Denial of Service (ReDoS) attacks if an attacker can control the input for these parameters. ReDoS occurs when a maliciously crafted regular expression takes an excessive amount of time to process, potentially causing the application to become unresponsive.

flatfile-core-libraries/packages/v2-shims/src/logic/util.ts

Line 54 in 1ab100d

const regex = new RegExp(regexString, flags)

ID: 01J7P1X7TZE89D7QCF08QKMF13 Language: TypeScript Severity: 🔵 MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to
supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)
against the application. In Node applications, this could cause the entire application to no
longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular
expression should be hardcoded. If this is not possible, consider using an alternative regular
expression engine such as node-re2. RE2 is a safe alternative
that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to
never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

flatfile-core-libraries/packages/javascript/src/i18n.ts

Lines 54 to 57 in 1ab100d

	const filenameRegex = new RegExp(
	`^[^\\\\/?%*:|"<>]+\\.(${extensionsPattern})$`,
	'i'
	)

ID: 01J7P1X7TZE89D7QCEWATXA2B2 Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

flatfile-core-libraries/packages/cli/src/x/actions/develop.action.ts

Line 26 in 1ab100d

fs.mkdirSync(outDir, { recursive: true })

ID: 01J6E93M4Q6Y9PTH07ES48T3NX Language: TypeScript Severity: 🔵 MEDIUM CWE-209

Generic error disclosure

The vulnerability is a generic error disclosure in the PubNub listener's message handling function. When an error occurs during message processing, the entire error object is logged using console.error(e). This can potentially expose sensitive information about the application's internal structure, dependencies, and possibly even sensitive data if it's included in the error object. The vulnerability is triggered by any error in the message handling process, which doesn't require special privileges or user interaction to exploit.

flatfile-core-libraries/packages/listener-driver-pubsub/src/index.ts

Lines 70 to 84 in 1ab100d

	try {
	const e =
	typeof event.message === 'string'
	? JSON.parse(event.message)
	: event.message
	// todo: determine if prepTargetForEvent is available here
	if (this.events.get(e.id)) {
	return
	}
	this.events.set(e.id, true)
	const listeners = this._handler?.getListeners(e, true)
	if (listeners?.length) {
	Debugger.logEvent(e)
	listeners.forEach(({ query, filter }) => {
	Debugger.logEventSubscriber(query, filter)

ID: 01J6E93M4Q6Y9PTH07ASDH1MSY Language: TypeScript Severity: 🔵 MEDIUM CWE-95

Javascript require rule non literal require

The application was found to dynamically import a module by calling require using a
non-literal string. An adversary might be able to read the first line of
arbitrary files. If they had write access to the file system, they may also be able to
execute arbitrary code.

To remediate this issue, use a hardcoded string literal when calling require. Never call it
it with dynamically created variables or user-supplied data.

flatfile-core-libraries/packages/cli/src/x/actions/develop.action.ts

Line 99 in 1ab100d

const listener = require(listenerPath)

ID: 01J6DH83ZZ97W0Y727K24R83ED Language: TypeScript Severity: 🔵 MEDIUM CWE-95

Javascript require rule non literal require

The vulnerability exists in the sendSchemasToServer function where a non-literal require is used: const config = require(buildFile).default. This allows dynamic loading of modules based on the buildFile parameter, which could be manipulated by an attacker to read arbitrary files or potentially execute malicious code.

flatfile-core-libraries/packages/cli/src/legacy/utilities/send.schemas.to.server.ts

Line 17 in 1ab100d

const config = require(buildFile).default

ID: 01J7P1X7TZE89D7QCEVH26DFV8 Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

flatfile-core-libraries/packages/cli/src/shared/get-entry-file.ts

Line 16 in 1ab100d

if (file && !fs.existsSync(file)) {

ID: 01J6E93M4Q6Y9PTH079XESQY5R Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

This is a path traversal vulnerability in the CLI tool's 'send.schemas.to.server.ts' file. The vulnerable code uses fs.readFileSync(buildFile, 'utf8') without proper input validation on the 'buildFile' parameter. This could allow an attacker with local access to read arbitrary files on the system, potentially exposing sensitive information.

flatfile-core-libraries/packages/cli/src/legacy/utilities/send.schemas.to.server.ts

Line 58 in 1ab100d

const sourceCode = fs.readFileSync(buildFile, 'utf8')

ID: 01J7P1X7TZE89D7QCEVX77BG8P Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

flatfile-core-libraries/packages/cli/src/x/actions/deploy.action.ts

Line 133 in 1ab100d

fs.mkdirSync(outDir, { recursive: true })

ID: 01J7P1X7TZE89D7QCEVC9NNR97 Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

flatfile-core-libraries/packages/cli/src/legacy/utilities/send.schemas.to.server.ts

Line 30 in 1ab100d

localPackageJSON = JSON.parse(fs.readFileSync(npm_package_json, 'utf8'))

ID: 01J7P1X7TZE89D7QCEWR97149Y Language: TypeScript Severity: 🔵 MEDIUM CWE-95

Javascript require rule non literal require

The application was found to dynamically import a module by calling require using a
non-literal string. An adversary might be able to read the first line of
arbitrary files. If they had write access to the file system, they may also be able to
execute arbitrary code.

To remediate this issue, use a hardcoded string literal when calling require. Never call it
it with dynamically created variables or user-supplied data.

flatfile-core-libraries/packages/cli/src/x/actions/publish.pubsub.ts

Line 143 in 1ab100d

const client = require(buildFile)

ℹ️ Note: 29 vulnerabilities were detected. This dashboard prioritises and showcases the top 20 most critical findings.

Reply with /nullify to interact with me like another developer

[flatfile-nullify]

New code security updates for commit 4295347

New	Fixed	Allowlisted	Unallowlisted
25	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J2W1TTWZF30EZTGN3X87583C	Node api key	packages/cli/src/legacy/utilities/access.token.ts	5	798
01J2W1TTWZF30EZTGN49V8J439	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	16	22
01J2W1TTWZF30EZTGN4050FN07	Javascript require rule non literal require	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	17	95
01J2W1TTWZF30EZTGN4B51YRVF	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	22	22
01J2W1TTWZF30EZTGN4KRE0JBG	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	25	22
01J2W1TTWZF30EZTGN4PDC0690	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	26	22
01J2W1TTWZF30EZTGN4428QQRK	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	30	22
01J2W1TTWZF30EZTGN5BY5J8EB	Javascript dos rule non literal regexp	packages/v2-shims/src/logic/util.ts	54	185
01J2W1TTWZF30EZTGN47RX2EJ2	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	58	22
01J2W1TTWZF30EZTGN58BVQ0VD	Generic error disclosure	packages/listener-driver-pubsub/src/index.ts	70	209
01J2W1TTWZF30EZTGN4SFXGG5J	Javascript require rule non literal require	packages/cli/src/x/actions/develop.action.ts	99	95
01J2W1TTWZF30EZTGN52CZJ0EC	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.pubsub.ts	99	79
01J2W1TTWZF30EZTGN4TQBV46T	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.action.ts	102	79
01J2W1TTWZF30EZTGN3QBFTB1W	Node secret	packages/cli/src/index.ts	112	798
01J2W1TTWZF30EZTGN4B55AT1B	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	118	22
01J2W1TTWZF30EZTGN4CQWBYQM	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	119	22
01J2W1TTWZF30EZTGN3TWNV8Y1	Node secret	packages/cli/src/index.ts	132	798
01J2W1TTWZF30EZTGN567WE6BG	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.pubsub.ts	141	22
01J2W1TTWZF30EZTGN56ZJT1CB	Javascript require rule non literal require	packages/cli/src/x/actions/publish.pubsub.ts	143	95
01J2W1TTWZF30EZTGN4VMNQ1M4	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.action.ts	144	22
01J2W1TTWZF30EZTGN4YNPK36V	Javascript require rule non literal require	packages/cli/src/x/actions/publish.action.ts	146	95
01J2W1TTWZF30EZTGN4EPM0G78	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	153	22
01J2W1TTWZF30EZTGN4H7CCHD7	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	169	22
01J2W1TTWZF30EZTGN4KHG930N	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	217	22
01J2W1TTWZF30EZTGN57G7B6TT	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/quickstart.action.ts	220	22

[flatfile-nullify]

New code security updates for commit 8cf905a

New	Fixed	Allowlisted	Unallowlisted
1	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J2WB7S8T5FF5TKAPRB2CDGSR	Javascript dos rule non literal regexp	packages/javascript/src/i18n.ts	54	185

[flatfile-nullify]

New code security updates for commit 6c8292b

New	Fixed	Allowlisted	Unallowlisted
1	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J2WB9KHMM7DJDCYE8B89CH7S	Javascript dos rule non literal regexp	packages/javascript/src/i18n.ts	54	185

[flatfile-nullify]

New code security updates for commit d565c70

New	Fixed	Allowlisted	Unallowlisted
26	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J30P6X0Y0ZQG1FH7VQ7QSR92	Node api key	packages/cli/src/legacy/utilities/access.token.ts	5	798
01J30P6X0Y0ZQG1FH7W05NFC56	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	16	22
01J30P6X0Y0ZQG1FH7VSTETF2E	Javascript require rule non literal require	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	17	95
01J30P6X0Y0ZQG1FH7W0R2SMY3	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	22	22
01J30P6X0Y0ZQG1FH7WDGR4KND	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	25	22
01J30P6X0Y0ZQG1FH7WGA6ZY79	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	26	22
01J30P6X0Y0ZQG1FH7VT37TKT7	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	30	22
01J30P6X0Y0ZQG1FH7XEWPGZ84	Javascript dos rule non literal regexp	packages/v2-shims/src/logic/util.ts	54	185
01J30P6X0Y0ZQG1FH7X7YMXGWX	Javascript dos rule non literal regexp	packages/javascript/src/i18n.ts	54	185
01J30P6X0Y0ZQG1FH7VWM90GRD	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	58	22
01J30P6X0Y0ZQG1FH7XBF7KC9Z	Generic error disclosure	packages/listener-driver-pubsub/src/index.ts	70	209
01J30P6X0Y0ZQG1FH7WJZEJJC3	Javascript require rule non literal require	packages/cli/src/x/actions/develop.action.ts	99	95
01J30P6X0Y0ZQG1FH7X11WEQ95	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.pubsub.ts	99	79
01J30P6X0Y0ZQG1FH7WPVA4GAN	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.action.ts	102	79
01J30P6X0Y0ZQG1FH7VJ6T34EM	Node secret	packages/cli/src/index.ts	112	798
01J30P6X0Y0ZQG1FH7W2GYQ1HQ	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	118	22
01J30P6X0Y0ZQG1FH7W3BC1RPB	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	119	22
01J30P6X0Y0ZQG1FH7VNBTW8K1	Node secret	packages/cli/src/index.ts	132	798
01J30P6X0Y0ZQG1FH7X29WB7A2	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.pubsub.ts	141	22
01J30P6X0Y0ZQG1FH7X3CK8H58	Javascript require rule non literal require	packages/cli/src/x/actions/publish.pubsub.ts	143	95
01J30P6X0Y0ZQG1FH7WTGXKA4H	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.action.ts	144	22
01J30P6X0Y0ZQG1FH7WXG0XRFV	Javascript require rule non literal require	packages/cli/src/x/actions/publish.action.ts	146	95
01J30P6X0Y0ZQG1FH7W6T0G3QA	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	153	22
01J30P6X0Y0ZQG1FH7W9D9GC7N	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	169	22
01J30P6X0Y0ZQG1FH7WC5ZWSH5	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	217	22
01J30P6X0Y0ZQG1FH7X4CZ90FZ	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/quickstart.action.ts	220	22

[flatfile-nullify]

New code security updates for commit 2093c4d

New	Fixed	Allowlisted	Unallowlisted
1	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J31P208K6V63MGKNCZEMH4RZ	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	240	22

[flatfile-nullify]

New code security updates for commit 5496e45

New	Fixed	Allowlisted	Unallowlisted
1	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J31P3ST2A5T9HYJV9QMRDWW1	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	240	22

[flatfile-nullify]

New code security updates for commit 3ffcee7

New	Fixed	Allowlisted	Unallowlisted
27	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J31PBXS9FF3QT876VJHGTVKP	Node api key	packages/cli/src/legacy/utilities/access.token.ts	5	798
01J31PBXS9FF3QT876VSPE8YDQ	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	16	22
01J31PBXS9FF3QT876VK2JX3H0	Javascript require rule non literal require	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	17	95
01J31PBXS9FF3QT876VVS6BVGJ	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	22	22
01J31PBXS9FF3QT876W7Z9DNEC	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	25	22
01J31PBXS9FF3QT876WAGQVWYT	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	26	22
01J31PBXS9FF3QT876VPMJZ98F	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	30	22
01J31PBXS9FF3QT876WZ7QX79T	Javascript dos rule non literal regexp	packages/v2-shims/src/logic/util.ts	54	185
01J31PBXS9FF3QT876WS71NSN5	Javascript dos rule non literal regexp	packages/javascript/src/i18n.ts	54	185
01J31PBXS9FF3QT876VPRQQ0GX	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	58	22
01J31PBXS9FF3QT876WW4203GB	Generic error disclosure	packages/listener-driver-pubsub/src/index.ts	70	209
01J31PBXS9FF3QT876WJ67BXVW	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.pubsub.ts	99	79
01J31PBXS9FF3QT876WE4YEMWV	Javascript require rule non literal require	packages/cli/src/x/actions/develop.action.ts	99	95
01J31PBXS9FF3QT876WF8JKMR8	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.action.ts	102	79
01J31PBXS9FF3QT876VF5M2314	Node secret	packages/cli/src/index.ts	112	798
01J31PBXS9FF3QT876VXXHTBAE	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	132	22
01J31PBXS9FF3QT876VHWXD9HR	Node secret	packages/cli/src/index.ts	132	798
01J31PBXS9FF3QT876VZ7S7KPN	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	133	22
01J31PBXS9FF3QT876WMMSWNYE	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.pubsub.ts	141	22
01J31PBXS9FF3QT876WP8M63BP	Javascript require rule non literal require	packages/cli/src/x/actions/publish.pubsub.ts	143	95
01J31PBXS9FF3QT876WFS65WA0	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.action.ts	144	22
01J31PBXS9FF3QT876WJ3DR9CS	Javascript require rule non literal require	packages/cli/src/x/actions/publish.action.ts	146	95
01J31PBXS9FF3QT876W1B5BWN5	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	167	22
01J31PBXS9FF3QT876W34X1YRV	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	184	22
01J31PBXS9FF3QT876WRE3TSQP	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/quickstart.action.ts	220	22
01J31PBXS9FF3QT876W5NHXESC	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	238	22
01J31PBXS9FF3QT876W5YA8AM5	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	240	22

[flatfile-nullify]

New code security updates for commit e98cdf4

New	Fixed	Allowlisted	Unallowlisted
27	0	0	0

See Details

New Findings

ID	Title	File	Line	CWE
01J3NGD3PR2RFYWAFDSTJ02TM3	Node api key	packages/cli/src/legacy/utilities/access.token.ts	5	798
01J3NGD3PR2RFYWAFDT1NSA0CY	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	16	22
01J3NGD3PR2RFYWAFDSXN59MZS	Javascript require rule non literal require	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	17	95
01J3NGD3PR2RFYWAFDT1RQ4FTH	Javascript pathtraversal rule non literal fs filename	packages/cli/src/shared/get-entry-file.ts	22	22
01J3NGD3PR2RFYWAFDTDVCR5RF	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	25	22
01J3NGD3PR2RFYWAFDTHH182HE	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/develop.action.ts	26	22
01J3NGD3PR2RFYWAFDSZGDQV8C	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	30	22
01J3NGD3PR2RFYWAFDV7NFVJXT	Javascript dos rule non literal regexp	packages/v2-shims/src/logic/util.ts	54	185
01J3NGD3PR2RFYWAFDV34AESC7	Javascript dos rule non literal regexp	packages/javascript/src/i18n.ts	54	185
01J3NGD3PR2RFYWAFDT1CTA460	Javascript pathtraversal rule non literal fs filename	packages/cli/src/legacy/utilities/send.schemas.to.server.ts	58	22
01J3NGD3PR2RFYWAFDV5YX2803	Generic error disclosure	packages/listener-driver-pubsub/src/index.ts	70	209
01J3NGD3PR2RFYWAFDTW7D5WJH	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.pubsub.ts	99	79
01J3NGD3PR2RFYWAFDTKR1MCJD	Javascript require rule non literal require	packages/cli/src/x/actions/develop.action.ts	99	95
01J3NGD3PR2RFYWAFDTPE6FQ6T	Rules lgpl javascript xss rule express xss	packages/cli/src/x/actions/publish.action.ts	102	79
01J3NGD3PR2RFYWAFDSPJGD7WD	Node secret	packages/cli/src/index.ts	112	798
01J3NGD3PR2RFYWAFDT3TWZ4RN	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	132	22
01J3NGD3PR2RFYWAFDSPMFYJ9H	Node secret	packages/cli/src/index.ts	132	798
01J3NGD3PR2RFYWAFDT79SHJ3B	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	133	22
01J3NGD3PR2RFYWAFDTYJCRF46	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.pubsub.ts	141	22
01J3NGD3PR2RFYWAFDV1P6RC5C	Javascript require rule non literal require	packages/cli/src/x/actions/publish.pubsub.ts	143	95
01J3NGD3PR2RFYWAFDTS0PXC9G	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/publish.action.ts	144	22
01J3NGD3PR2RFYWAFDTT23M8YM	Javascript require rule non literal require	packages/cli/src/x/actions/publish.action.ts	146	95
01J3NGD3PR2RFYWAFDT9XKXR8T	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	167	22
01J3NGD3PR2RFYWAFDTBD89V6F	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	184	22
01J3NGD3PR2RFYWAFDV1W6C8SC	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/quickstart.action.ts	220	22
01J3NGD3PR2RFYWAFDTC61A7AP	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	238	22
01J3NGD3PR2RFYWAFDTCFHXYN3	Javascript pathtraversal rule non literal fs filename	packages/cli/src/x/actions/deploy.action.ts	240	22