Vasilii Ermilov
Vasilii Ermilov
Better results for `detect-child-process` rule
**Rule Description** use `req.ips` instead `req.ip` for logging *What does this rule intend to find?* **Examples or references** ```javascript const express = require('express') const app = express() const port =...
**Rule Description** app listen without host: > If host is omitted, the server will accept connections on the unspecified IPv6 address (::) when IPv6 is available, or the unspecified IPv4...
### Intro I proposed module aliasing for JavaScript a long time ago https://github.com/returntocorp/semgrep/issues/285. But at that time there were higher priority issues with JavaScript (from the rule writing point of...
Hello, I’m a security researcher at [r2c](https://r2c.dev (https://r2c.dev/)). We work with industry experts to write code checks for bugs in open source. Problem: I found that the https server don't...
Delete .github/workflows/rulerascal.yml from release branch
for: https://linear.app/semgrep/issue/CODE-6898/pdefault-redundant-rules-creating-triplicate-findings-for-html Ideally would be to merge this one after this PR is done: https://github.com/semgrep/semgrep-rule-packs/pull/428
matching a field in a JS object does not work if value is a function works: https://semgrep.dev/s/lxWB/ ``` {foo: ...} ``` ```javascript { foo: 1, bar: 2 } ``` does...
**Description:** Currently, the `Message.findOne` method in the codebase may accept unvalidated user input, potentially allowing **NoSQL injection** attacks. If an attacker supplies an **object** instead of a string, it could...
`res.send()` is sending a string value as an HTML content by default, that is why reflecting the user provided `id` without any sanitization can be vulnerable to XSS.