crash.software
Projects
Pull Requests
Issues
Builds
bearer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY bearer Commits 00bd0ca6
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection.yml
    Content is identical
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
    skipped 38 lines
    39 39   remediation_message: |
    40 40   ## Description
    41 41   Sending unsanitized user input in a response puts your application at risk of cross-site scripting attacks.
    42  - <!--
     42 + 
     43 + 
    43 44   ## Remediations
    44  - Coming soon.
     45 + ❌ Avoid including user input directly in a response:
     46 + 
     47 + ```javascript
     48 + res.send(req.body.data)
     49 + ```
     50 + 
    45 51   ## Resources
    46  - Coming soon.
    47  - -->
     52 + - [OWASP Cross-Site Scripting (XSS) Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
    48 53   cwe_id:
    49 54   - 79
    50 55   id: "javascript_express_cross_site_scripting"
    skipped 1 lines
  • ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/default_session_config.yml
    skipped 20 lines
    21 21   To make sure session cookies don't open your application up to exploits or unauthorized access, don't use default cookie values.
    22 22   
    23 23   ## Remediations
    24  - - Instead of the default session name, use generic names.
     24 + Instead of the default session name, use generic names.
    25 25   
    26 26   ## Resources
    27 27   - [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely)
    skipped 5 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/eval_user_input.yml
    skipped 52 lines
    53 53   description: "Dangerous use of eval with user input detected"
    54 54   remediation_message: |
    55 55   ## Description
     56 + Using `eval` (and similar code execution methods such as `setTimeout`) with user input is dangerous and can lead to remote code execution.
    56 57   
    57  - Using eval with user input is dangerous. It can lead to remote code execution.
     58 + ## Remediation
     59 + ❌ As a general rule, avoid using `eval`.
     60 + ❌ Avoid using code execution methods with unsanitized user input.
     61 + 
     62 + Instead, it might be possible to use dynamic hardcoded values:
     63 + ```javascript
     64 + app.post("/:id", (req, res) => {
     65 + let myFunc = "(a, b) => a + b"
     66 + if req.params["single_item"] {
     67 + myFunc = "(a) => a"
     68 + }
     69 + 
     70 + setTimeout(myFunc);
     71 + };
     72 + ```
     73 + or pass user input to a compiled function, instead of compiling it with user input.
     74 + ```javascript
     75 + app.post("/:id", (req, res) => {
     76 + let myFunc = "(a, b) => a + b"
     77 + let compiledFunction = vm.compileFunction(myFunc);
     78 + compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])
     79 + };
    58 80   
    59  - <!--
     81 + ✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods
     82 + ```javascript
     83 + "use strict"
     84 + 
     85 + app.post("/:id", (req, res) => {
     86 + ...
     87 + })
     88 + ```
     89 + 
    60 90   ## Resources
    61  - Coming soon.
    62  - -->
     91 + - [MDN JavaScript strict mode reference](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode)
    63 92   cwe_id:
    64 93   - 94
    65 94   - 95
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing.yml
    skipped 10 lines
    11 11   Inappropriate exposure of a directory listing could give attackers access to sensitive data or source code, either directly or through exploitation of an exposed file structure.
    12 12   
    13 13   ## Remediations
    14  - - Restrict access to sensitive directories and files
     14 + Restrict access to sensitive directories and files
    15 15   
    16 16   ## Resources
    17  - - [Express Serve Index Middleware](https://expressjs.com/en/resources/middleware/serve-index.html)
     17 + - [Express Serve index middleware](https://expressjs.com/en/resources/middleware/serve-index.html)
    18 18   cwe_id:
    19 19   - 548
    20 20   id: "javascript_express_exposed_dir_listing"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/external_file_upload.yml
    skipped 35 lines
    36 36   description: "External control of filename or path detected."
    37 37   remediation_message: |
    38 38   ## Description
    39  - Using raw unsanitized input when forming filenames or file paths is bad practice.
    40  - It can lead to path manipulation, by which attackers can gain access to resources outside of the intended scope.
     39 + Passing unsanitized user input to the sendFile API is bad practice and can lead to path manipulation, by which attackers can gain access to resources and data outside of the intended scope.
    41 40   
    42  - <!--
    43 41   ## Remediations
    44  - Coming soon.
     42 + ✅ Set the root option to be an absolute path to a directory
     43 + 
     44 + ```javascript
     45 + app.post("/upload", (req, res) => {
     46 + var options = {
     47 + root: path.join(__dirname, "upload")
     48 + }
     49 + res.sendFile(req.params.filename, options)
     50 + }
     51 + ```
     52 + 
    45 53   ## Resources
    46  - Coming soon.
    47  - -->
     54 + - [Express sendFile API reference](http://expressjs.com/en/5x/api.html#res.sendFile)
    48 55   cwe_id:
    49 56   - 73
    50 57   id: "javascript_express_external_file_upload"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/external_resource.yml
    skipped 23 lines
    24 24   description: "Rendering of resources resolved from external name or reference detected."
    25 25   remediation_message: |
    26 26   ## Description
    27  - Coming soon.
    28  - <!--
     27 + Using raw unsanitized input when rendering resources is bad practice.
     28 + 
    29 29   ## Remediations
    30  - Coming soon.
    31  - ## Resources
    32  - Coming soon.
    33  - -->
     30 + ❌ Avoid passing user or request input to res.render() or require().
     31 + 
     32 + ✅ Sanitize the input or use a safelist
     33 + Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.
     34 + 
     35 + ```javascript
     36 + var path = req.body.path
     37 + if (['users', 'posts', 'pages'].includes(path)) {
     38 + return res.render(`${path}/success`)
     39 + }
     40 + ```
    34 41   cwe_id:
    35 42   - 706
    36 43   id: "javascript_express_external_resource"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/hardcoded_secret.yml
    skipped 24 lines
    25 25  metadata:
    26 26   description: "Hard-coded secret detected."
    27 27   remediation_message: |
    28  - ## Description
    29  - Code is not a secure place to store hard-coded secrets. Use an env variable instead.
    30  - <!--
    31  - ## Remediations
    32  - Coming soon.
    33  - ## Resources
    34  - Coming soon.
    35  - -->
     28 + ## Description
     29 + Code is not a secure place to store hard-coded secrets. Use environment variables instead.
     30 + 
     31 + ## Remediations
     32 + ✅ Use environment variables and a secret management system instead
     33 + 
     34 + ```javascript
     35 + app.use(
     36 + session({
     37 + secret: process.env.secret,
     38 + name: "my-custom-session-name",
     39 + })
     40 + )
     41 + ```
     42 + 
     43 + ## Resources
     44 + - [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
    36 45   cwe_id:
    37 46   - 798
    38 47   id: "javascript_express_hardcoded_secret"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/helmet_missing.yml
    skipped 24 lines
    25 25   
    26 26   Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.
    27 27   
    28  - ## Resources
     28 + ## Remediations
    29 29   
    30  - - https://expressjs.com/en/advanced/best-practice-security.html
     30 + ✅ Use Helmet middleware
    31 31   
    32  - <!--
    33  - ## Remediations
    34  - Coming soon.
    35  - -->
     32 + ```javascript
     33 + const helmet = require("helmet")
     34 + app.use(helmet())
     35 + ```
     36 + 
     37 + ## Resources
     38 + 
     39 + - [Express Security Best Practices: Use Helmet](https://expressjs.com/en/advanced/best-practice-security.html#use-helmet)
    36 40   cwe_id:
    37 41   - 693
    38 42   id: javascript_express_helmet_missing
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/https_protocol_missing.yml
    skipped 13 lines
    14 14   description: "Missing https protocol detected."
    15 15   remediation_message: |
    16 16   ## Description
     17 + Use HTTPS wherever possible. HTTPS uses the TLS (Transport Layer Security) protocol to encrypt communication, making it more secure than HTTP.
    17 18   
    18  - Prefer https to http when using createServer()
     19 + ## Remediations
     20 + ✅ Use the `https` module when calling `createServer()`
     21 + 
     22 + ```javascript
     23 + var https = require('https');
     24 + var express = require('express');
     25 + var app = express();
     26 + 
     27 + var httpsServer = https.createServer(app)
     28 + httpsServer.listen(8080);
     29 + ```
    19 30   
    20  - <!--
    21  - ## Remediations
    22  - Coming soon.
    23 31   ## Resources
    24  - Coming soon.
    25  - -->
     32 + - [Express Security Best Practices: use TLS](https://expressjs.com/en/advanced/best-practice-security.html#use-tls)
    26 33   cwe_id:
    27 34   - 693
    28 35   id: javascript_express_https_protocol_missing
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin.yml
    skipped 6 lines
    7 7   - set
    8 8   - header
    9 9   - variable: ORIGIN
    10  - values:
    11  - - '"Access-Control-Allow-Origin"'
    12  - - '"access-control-allow-origin"'
    13  - - "'Access-Control-Allow-Origin'"
    14  - - "'access-control-allow-origin'"
     10 + regex: (?i)['"]access-control-allow-origin["']
    15 11   - variable: USER_INPUT
    16 12   detection: javascript_express_insecure_allow_origin_user_input
    17 13   - pattern: |
    skipped 25 lines
    43 39   description: "Insecure Access-Control-Allow-Origin detected."
    44 40   remediation_message: |
    45 41   ## Description
    46  - Do not use unverified user-defined input to define Access-Control-Allow-Origin.
     42 + Do not use unverified user-defined input to define Access-Control-Allow-Origin. This can lead to unintended user access to sensitive data.
    47 43   
    48  - <!--
    49 44   ## Remediations
    50  - Coming soon.
     45 + ❌ Avoid defining origins with user input wherever possible.
     46 + ✅ If unavoidable, be sure to verify the input or to use a safe-list.
     47 + 
    51 48   ## Resources
    52  - Coming soon.
    53  - -->
     49 + - [OWASP Origin & Access-Control-Allow-Origin](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)
    54 50   cwe_id:
    55 51   - 346
    56 52   id: "javascript_express_insecure_allow_origin"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_cookie.yml
    skipped 28 lines
    29 29   To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
    30 30   
    31 31   ## Remediations
    32  - - Set cookie security values to use HTTP(S) instead of client-side javascript.
    33  - - Set `secure` values to `true` to force cookies to only send over HTTPS.
     32 + Set cookie security values to use HTTP(S) instead of client-side javascript.
     33 + Set `secure` values to `true` to force cookies to only send over HTTPS.
    34 34   
    35 35   ## Resources
    36 36   - [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely)
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering.yml
    skipped 85 lines
    86 86   description: "Insecure template rendering detected."
    87 87   remediation_message: |
    88 88   ## Description
    89  - Do not include externally influenced or user-given input data in rendered templates.
     89 + Do not include externally influenced or user-given input data in rendered templates. This is bad practice and can lead to code injection attacks.
    90 90   
    91  - <!--
    92 91   ## Remediations
    93  - Coming soon.
     92 + ✅ Always validate external data (for example, with a safe list) before rendering it in a template.
     93 + ✅ Sanitize external data before rendering it in a template to remove special characters that could introduce an injection attack.
     94 + 
    94 95   ## Resources
    95  - Coming soon.
    96  - -->
     96 + - [OWASP Injection prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html#injection-prevention-rules)
    97 97   cwe_id:
    98 98   - 1336
    99 99   id: "javascript_express_insecure_template_rendering"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked.yml
    skipped 28 lines
    29 29   ## Description
    30 30   The best practice caching policy is to revoke JWTs especially when these contain senstitive information.
    31 31   
    32  - <!--
    33 32   ## Remediations
    34  - Coming soon.
     33 + ✅ Ensure JWTs are short-lived by revoking them
     34 + 
     35 + ```javascript
     36 + expressjwt({
     37 + ...
     38 + isRevoked: this.customRevokeCall(),
     39 + ...
     40 + })
     41 + ```
     42 + 
    35 43   ## Resources
    36  - Coming soon.
    37  - -->
     44 + - [ExpressJWT documentation on revoking tokens](https://github.com/auth0/express-jwt#revoked-tokens)
    38 45   cwe_id:
    39 46   - 525
    40 47   id: "javascript_express_jwt_not_revoked"
    skipped 1 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/open_redirect.yml
    skipped 20 lines
    21 21   remediation_message: |
    22 22   ## Description
    23 23   A redirect using unsanitized user input is bad practice and puts your application at greater risk of phishing attacks.
    24  - <!--
     24 + 
    25 25   ## Remediations
    26  - Coming soon.
     26 + ❌ Do not use unsanitized user input when constructing URLs
     27 + 
     28 + ✅ Instead, ensure the input is validated by using a safe list or a mapping when constructing URLs
     29 + 
     30 + ```javascript
     31 + var map = {
     32 + "1": "/planes",
     33 + "2": "/trains",
     34 + "3": "/automobiles",
     35 + }
     36 + 
     37 + res.redirect(map[req.body.transport])
     38 + ```
    27 39   ## Resources
    28  - Coming soon.
    29  - -->
     40 + - [OWASP open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
    30 41   cwe_id:
    31 42   - 601
    32 43   id: "javascript_express_open_redirect"
    skipped 1 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint.yml
    skipped 37 lines
    38 38   
    39 39   ## Resources
    40 40   
    41  - - https://expressjs.com/en/advanced/best-practice-security.html
    42  - 
    43  - <!--
    44  - ## Remediations
    45  - Coming soon.
    46  - -->
     41 + - [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html)
    47 42   cwe_id:
    48 43   - 693
    49 44   id: javascript_express_reduce_fingerprint
    skipped 1 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery.yml
    skipped 47 lines
    48 48   remediation_message: |
    49 49   ## Description
    50 50   Using unsanitized URLs from the request object when retrieving data puts your application at risk of server-side request forgery (SSRF) attacks.
    51  - <!--
     51 + This rule checks for URLs containing user-supplied data.
     52 + 
    52 53   ## Remediations
    53  - Coming soon.
     54 + 
     55 + ❌ Avoid using user input in URLs:
     56 + 
     57 + ```javascript
     58 + axios.get(`https://${req.params.host}`)
     59 + ```
     60 + 
     61 + ✅ Use user input indirectly to form a URL:
     62 + 
     63 + ```javascript
     64 + var host = "default-api.com"
     65 + if req.params.host == "something-else" {
     66 + host = "other-api.com"
     67 + }
     68 + 
     69 + axios.get(`https://${host}`)
     70 + ```
     71 + 
    54 72   ## Resources
    55  - Coming soon.
    56  - -->
     73 + - [OWASP - Server-Side Request Forgery (SSRF) prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
    57 74   cwe_id:
    58 75   - 918
    59 76   id: "javascript_express_server_side_request_forgery"
    skipped 1 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/sql_injection.yml
    skipped 90 lines
    91 91   ## Description
    92 92   Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.
    93 93   
    94  - <!--
    95 94   ## Remediations
    96  - Coming soon.
     95 + 
     96 + ❌ Avoid raw queries, especially those that contain unsanitized user input
     97 + ```javascript
     98 + var sqlite = new Sequelize("sqlite::memory:");
     99 + sqlite.query("SELECT * FROM users WHERE ID = " + req.params.userId);
     100 + ```
     101 + 
     102 + Instead, consider the following approaches when writing SQL queries
     103 + 
     104 + ✅ Validate query input wherever possible
     105 + 
     106 + ```javascript
     107 + var rawId = req.params.userId
     108 + if !(/[0-9]+/.test(rawId)) {
     109 + // input is unexpected; don't make the query
     110 + }
     111 + ```
     112 + 
     113 + ✅ Use prepared (or parameterized) statements when querying
     114 + 
     115 + Sequelize example -
     116 + ```javascript
     117 + var sqlite = new Sequelize("sqlite::memory:");
     118 + sqlite.query(
     119 + "SELECT * FROM users WHERE ID = ?",
     120 + { replacements: [req.params.userId] },
     121 + type: sequelize.QueryTypes.SELECT
     122 + )
     123 + ```
     124 + 
    97 125   ## Resources
    98  - Coming soon.
    99  - -->
     126 + - [OWASP SQL injection explained](https://owasp.org/www-community/attacks/SQL_Injection)
     127 + - [OWASP SQL injection prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
    100 128   cwe_id:
    101 129   - 89
    102 130   id: "javascript_express_sql_injection"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/ui_redress.yml
    1 1  patterns:
    2 2   - pattern: |
    3  - res.set('X-Frame-Options', $<USER_INPUT>)
     3 + res.set($<HEADERS>, $<USER_INPUT>)
    4 4   filters:
    5  - - variable: USER_INPUT
    6  - detection: javascript_express_ui_redress_request_obj
    7  - - pattern: |
    8  - res.set("X-Frame-Options", $<USER_INPUT>)
    9  - filters:
     5 + - variable: HEADERS
     6 + regex: (?i)['"](x-frame-options|content-security-policy)["']
    10 7   - variable: USER_INPUT
    11 8   detection: javascript_express_ui_redress_request_obj
    12 9  auxiliary:
    skipped 11 lines
    24 21   description: "User Interface (UI) redress vulnerability (clickjacking) detected."
    25 22   remediation_message: |
    26 23   ## Description
    27  - Using unsanitizer user input to set a X-Frame-Options HTTP response header puts your application at risk for UI redress attacks (clickjacking).
     24 + Using unsanitized user input to set X-Frame-Options or Content-Security-Policy HTTP headers puts your application at risk for UI redress attacks (clickjacking).
    28 25   
    29  - <!--
    30 26   ## Remediations
    31  - Coming soon.
     27 + ✅ Prefer the most secure values when setting these headers
     28 + 
     29 + ```javascript
     30 + res.set('X-Frame-Options', 'DENY')
     31 + res.set('Content-Security-Policy', "frame-ancestors 'none'")
     32 + ```
     33 + 
     34 + ✅ Avoid using user input directly to set the headers, or use a safelist to guard against clickjacking
     35 + 
     36 + ```javascript
     37 + if (req.query.options === 'same') {
     38 + res.set('X-Frame-Options', 'SAME')
     39 + }
     40 + 
     41 + // safelist
     42 + if (['deny', 'sameorigin'].includes(req.query.options.toLowerCase)) {
     43 + res.set('X-Frame-Options', req.query.options)
     44 + }
     45 + ```
     46 + 
    32 47   ## Resources
    33  - Coming soon.
    34  - -->
     48 + - [OWASP Clickjacking attack explained](https://owasp.org/www-community/attacks/Clickjacking)
     49 + - [OWASP Clickjacking defense cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
    35 50   cwe_id:
    36 51   - 1021
    37 52   id: "javascript_express_ui_redress"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization.yml
    skipped 45 lines
    46 46   description: "Deserialization of untrusted data detected."
    47 47   remediation_message: |
    48 48   ## Description
    49  - It is bad practice to deserialize untrusted data, such as data direct from the request object.
    50  - <!--
     49 + It is bad practice to deserialize (unmarshal) untrusted data, such as data direct from the request object.
     50 + Attackers can transfer payloads or malicious code via serialized data, and deserializing such data puts your application at risk.
     51 + 
    51 52   ## Remediations
    52  - Coming soon.
     53 + ❌ Do not deserialize untrusted data
     54 + ✅ Prefer pure (data-only) and language-agnostic (de)serialization formats such as JSON or XML
     55 + Avoiding language-specific (de)serialization formats reduces the risk of attackers manipulating the deserialization process for malicious purposes.
     56 + 
     57 + ```javascript
     58 + JSON.parse(req.params)
     59 + ```
     60 + 
    53 61   ## Resources
    54  - Coming soon.
    55  - -->
     62 + - [OWASP Deserialization cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
    56 63   cwe_id:
    57 64   - 502
    58 65   id: "javascript_express_unsafe_deserialization"
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability.yml
    skipped 71 lines
    72 72   remediation_message: |
    73 73   ## Description
    74 74   Avoid parsing untrusted data as XML. Such data could include URIs that resolve to resources that are outside of the current context, leading to XML External Entity (XXE) injection.
    75  - <!--
     75 + 
    76 76   ## Remediations
    77  - Coming soon.
     77 + ❌ Do not enable parsing of external entities.
     78 + 
     79 + For LibXML, for example, do not set `noent` to `true`.
     80 + ```javascript
     81 + var libxml = require("libxmljs");
     82 + libxml.parseXmlString(xml, { noent: true, noblanks: true });
     83 + ```
     84 + 
    78 85   ## Resources
    79  - Coming soon.
    80  - -->
     86 + - [OWASP XML External Entity (XXE) prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
    81 87   cwe_id:
    82 88   - 611
    83 89   id: "javascript_express_xxe_vulnerability"
    skipped 1 lines
  • ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/open_redirect.yml
    skipped 35 lines
    36 36   
    37 37   ## Remediations
    38 38   
    39  - Simply avoid using redirects and forwards.
     39 + Avoid using redirects and forwards.
    40 40   
    41 41   ## Resources
    42 42   - [OWASP open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
    skipped 4 lines
Please wait...
Page is in error, reload to recover