@runsec/mcp 1.0.28 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/dist/data/.rag-cache.json +1 -0
  2. package/dist/data/skills/_exploit_overrides.json +16 -0
  3. package/dist/data/skills/advanced-agent-cloud/index.md +94 -0
  4. package/dist/data/skills/advanced-agent-cloud/patterns.md +46 -0
  5. package/dist/data/skills/advanced-agent-cloud/skill.json +38 -0
  6. package/dist/data/skills/app-logic/index.md +69 -0
  7. package/dist/data/skills/app-logic/patterns.md +23 -0
  8. package/dist/data/skills/app-logic/skill.json +24 -0
  9. package/dist/data/skills/auth-keycloak/index.md +69 -0
  10. package/dist/data/skills/auth-keycloak/patterns.md +46 -0
  11. package/dist/data/skills/auth-keycloak/skill.json +51 -0
  12. package/dist/data/skills/browser-agent/index.md +58 -0
  13. package/dist/data/skills/browser-agent/patterns.md +15 -0
  14. package/dist/data/skills/browser-agent/skill.json +24 -0
  15. package/dist/data/skills/cloud-secrets/index.md +66 -0
  16. package/dist/data/skills/cloud-secrets/patterns.md +19 -0
  17. package/dist/data/skills/cloud-secrets/skill.json +28 -0
  18. package/dist/data/skills/csharp-dotnet/index.md +103 -0
  19. package/dist/data/skills/csharp-dotnet/patterns.md +270 -0
  20. package/dist/data/skills/csharp-dotnet/skill.json +27 -0
  21. package/dist/data/skills/desktop-vsto-suite/index.md +202 -0
  22. package/dist/data/skills/desktop-vsto-suite/patterns.md +154 -0
  23. package/dist/data/skills/desktop-vsto-suite/skill.json +26 -0
  24. package/dist/data/skills/devops-security/index.md +64 -0
  25. package/dist/data/skills/devops-security/patterns.md +23 -0
  26. package/dist/data/skills/devops-security/skill.json +42 -0
  27. package/dist/data/skills/domain-access-management/index.md +123 -0
  28. package/dist/data/skills/domain-access-management/patterns.md +58 -0
  29. package/dist/data/skills/domain-access-management/skill.json +36 -0
  30. package/dist/data/skills/domain-data-privacy/index.md +98 -0
  31. package/dist/data/skills/domain-data-privacy/patterns.md +48 -0
  32. package/dist/data/skills/domain-data-privacy/skill.json +36 -0
  33. package/dist/data/skills/domain-input-validation/index.md +210 -0
  34. package/dist/data/skills/domain-input-validation/patterns.md +158 -0
  35. package/dist/data/skills/domain-input-validation/skill.json +24 -0
  36. package/dist/data/skills/domain-platform-hardening/index.md +169 -0
  37. package/dist/data/skills/domain-platform-hardening/patterns.md +96 -0
  38. package/dist/data/skills/domain-platform-hardening/skill.json +27 -0
  39. package/dist/data/skills/ds-ml-security/patterns.md +137 -0
  40. package/dist/data/skills/fastapi-async/index.md +83 -0
  41. package/dist/data/skills/fastapi-async/patterns.md +329 -0
  42. package/dist/data/skills/fastapi-async/skill.json +32 -0
  43. package/dist/data/skills/frontend-react/index.md +26 -0
  44. package/dist/data/skills/frontend-react/patterns.md +226 -0
  45. package/dist/data/skills/frontend-react/skill.json +24 -0
  46. package/dist/data/skills/go-core/index.md +86 -0
  47. package/dist/data/skills/go-core/patterns.md +272 -0
  48. package/dist/data/skills/go-core/skill.json +22 -0
  49. package/dist/data/skills/hft-cpp-security/patterns.md +37 -0
  50. package/dist/data/skills/index.md +73 -0
  51. package/dist/data/skills/infra-k8s-helm/index.md +138 -0
  52. package/dist/data/skills/infra-k8s-helm/patterns.md +279 -0
  53. package/dist/data/skills/infra-k8s-helm/skill.json +41 -0
  54. package/dist/data/skills/integration-security/index.md +73 -0
  55. package/dist/data/skills/integration-security/patterns.md +132 -0
  56. package/dist/data/skills/integration-security/skill.json +30 -0
  57. package/dist/data/skills/java-enterprise/index.md +31 -0
  58. package/dist/data/skills/java-enterprise/patterns.md +816 -0
  59. package/dist/data/skills/java-enterprise/skill.json +26 -0
  60. package/dist/data/skills/java-spring/index.md +65 -0
  61. package/dist/data/skills/java-spring/patterns.md +22 -0
  62. package/dist/data/skills/java-spring/skill.json +23 -0
  63. package/dist/data/skills/license-compliance/index.md +58 -0
  64. package/dist/data/skills/license-compliance/patterns.md +12 -0
  65. package/dist/data/skills/license-compliance/skill.json +28 -0
  66. package/dist/data/skills/mobile-security/patterns.md +42 -0
  67. package/dist/data/skills/nodejs-nestjs/index.md +71 -0
  68. package/dist/data/skills/nodejs-nestjs/patterns.md +288 -0
  69. package/dist/data/skills/nodejs-nestjs/skill.json +24 -0
  70. package/dist/data/skills/observability/index.md +68 -0
  71. package/dist/data/skills/observability/patterns.md +22 -0
  72. package/dist/data/skills/observability/skill.json +26 -0
  73. package/dist/data/skills/php-security/patterns.md +202 -0
  74. package/dist/data/skills/ru-regulatory/index.md +72 -0
  75. package/dist/data/skills/ru-regulatory/patterns.md +28 -0
  76. package/dist/data/skills/ru-regulatory/skill.json +53 -0
  77. package/dist/data/skills/ruby-rails/index.md +65 -0
  78. package/dist/data/skills/ruby-rails/patterns.md +172 -0
  79. package/dist/data/skills/ruby-rails/skill.json +24 -0
  80. package/dist/data/skills/rust-security/patterns.md +152 -0
  81. package/dist/data/trufflehog-config.yaml +407 -0
  82. package/dist/index.js +3830 -400
  83. package/package.json +2 -3
package/dist/data/skills/nodejs-nestjs/patterns.md ADDED
@@ -0,0 +1,288 @@
1
+ | ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник fix_template | Exploit scenario |
2
+ |---|---|---|---|---|---|---|
3
+ | NST-001 | Prototype Pollution в DTO merge | `const dto = req.body`<br>`...`<br>`Object.assign(target, dto)` | `const dto = req.body`<br>`...`<br>`for (const k of Object.keys(dto)) {`<br>` if (["__proto__", "constructor", "prototype"].includes(k)) throw new Error("blocked")`<br>`}` | Node.js/NestJS | `CWE-1321` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-001 prototype pollution в dto merge const req body object assign target for k of keys if proto constructor includes throw -->
4
+ | NST-002 | Insecure CORS (`origin: *`) | `app.enableCors({ origin: "*", credentials: true })` | `app.enableCors({ origin: ["https://app.example.com"], credentials: true })` | Node.js/NestJS | `CWE-942` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-002 insecure cors origin app enablecors credentials true https example com -->
5
+ | NST-003 | Missing global ValidationPipe | `const app = await NestFactory.create(AppModule)` | `const app = await NestFactory.create(AppModule)`<br>`app.useGlobalPipes(new ValidationPipe({ whitelist: true, forbidNonWhitelisted: true }))` | Node.js/NestJS | `CWE-20` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-003 missing global validationpipe const app await nestfactory create appmodule useglobalpipes new whitelist true forbidnonwhitelisted -->
6
+ | NST-004 | TypeORM SQL Injection (query string concat) | `const q = "SELECT * FROM users WHERE email = '" + email + "'"`<br>`...`<br>`await dataSource.query(q)` | `await dataSource.query("SELECT * FROM users WHERE email = $1", [email])` | Node.js/NestJS | `CWE-89` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-004 typeorm sql injection query string concat const q select from users where email await datasource 1 -->
7
+ | NST-005 | Prisma Raw Injection (`$queryRawUnsafe`) | `await prisma.$queryRawUnsafe("SELECT * FROM users WHERE id = " + id)` | `await prisma.$queryRaw\`SELECT * FROM users WHERE id = ${id}\`` | Node.js/NestJS | `CWE-89` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-005 prisma raw injection queryrawunsafe await select from users where id queryraw -->
8
+ | NST-006 | Open Redirect in controller | `return res.redirect(req.query.next as string)` | `const next = String(req.query.next | Node.js/NestJS | "/")`<br>`if (!next.startsWith("/")) return res.redirect("/")`<br>`return res.redirect(next)` | `CWE-601` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-006 open redirect controller return res req query next as string const -->
9
+ | NST-007 | Hardcoded secrets in source | `const jwtSecret = "nest-prod-secret"` | `const jwtSecret = process.env.JWT_SECRET` | Node.js/NestJS | `CWE-798` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-007 hardcoded secrets source const jwtsecret nest prod secret process env jwt -->
10
+ | NST-008 | JWT verify without algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ["HS256"] })` | Node.js/NestJS | `CWE-347` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-008 jwt verify without algorithm allowlist token secret algorithms hs256 -->
11
+ | NST-009 | Missing body size limits | `app.use(express.json())` | `app.use(express.json({ limit: "1mb" }))` | Node.js/NestJS | `CWE-400` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-009 missing body size limits app use express json limit 1mb -->
12
+ | NST-010 | Verbose exception leak | `catch (e) {`<br>` throw new HttpException(e.message, 500)`<br>`}` | `catch (e) {`<br>` logger.error(e)`<br>` throw new HttpException("internal server error", 500)`<br>`}` | Node.js/NestJS | `CWE-209` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-010 verbose exception leak catch e throw new httpexception message 500 logger error internal server -->
13
+ | NST-011 | Info leak in Swagger DTO | `class UserDto {`<br>` password: string`<br>`}` | `class UserDto {`<br>` @ApiHideProperty()`<br>` password: string`<br>`}` | Node.js/NestJS | `CWE-200` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-011 info leak swagger dto class userdto password string apihideproperty -->
14
+ | NST-012 | Unsafe implicit type conversion | `app.useGlobalPipes(new ValidationPipe({ transform: true, transformOptions: { enableImplicitConversion: true } }))` | `app.useGlobalPipes(new ValidationPipe({ transform: false, whitelist: true, forbidNonWhitelisted: true }))` | Node.js/NestJS | `CWE-915` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-012 unsafe implicit type conversion app useglobalpipes new validationpipe transform true transformoptions enableimplicitconversion false whitelist forbidnonwhitelisted -->
15
+ | NST-013 | Raw HTML in template rendering | `return res.render("page", { userContent })`<br>`...`<br>`{{{ userContent }}}` | `return res.render("page", { userContent })`<br>`...`<br>`{{ userContent }}` | Node.js/NestJS | `CWE-79` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-013 raw html template rendering return res render page usercontent -->
16
+ | NST-014 | SSRF in `HttpService` | `return this.httpService.get(url)` | `if (!ALLOWED_HOSTS.includes(hostname)) throw new ForbiddenException()`<br>`return this.httpService.get(url)` | Node.js/NestJS | `CWE-918` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-014 ssrf httpservice return this get url if allowed hosts includes hostname throw new forbiddenexception -->
17
+ | NST-015 | Missing rate limiting in root module | `@Module({`<br>` imports: [],`<br>`})` | `@Module({`<br>` imports: [ThrottlerModule.forRoot([{ ttl: 60, limit: 20 }])],`<br>`})`<br>`app.useGlobalGuards(new ThrottlerGuard())` | Node.js/NestJS | `CWE-400` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-015 missing rate limiting root module imports throttlermodule forroot ttl 60 limit 20 app useglobalguards new throttlerguard -->
18
+ | NST-016 | Insecure Reflector usage in Guard | `const roles = this.reflector.get("roles", context.getClass())` | `const roles = this.reflector.getAllAndOverride("roles", [context.getHandler(), context.getClass()])` | Node.js/NestJS | `CWE-285` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-016 insecure reflector usage guard const roles this get context getclass getallandoverride gethandler -->
19
+ | NST-017 | File upload without magic number check | `@UseInterceptors(FileInterceptor("file"))`<br>`if (!file.originalname.endsWith(".png")) throw new BadRequestException()` | `const t = await fileTypeFromBuffer(file.buffer)`<br>`if (t?.mime !== "image/png") throw new BadRequestException()` | Node.js/NestJS | `CWE-20` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-017 file upload without magic number check useinterceptors fileinterceptor if originalname endswith png throw new badrequestexception const t await filetypefrombuffer buffer -->
20
+ | NST-018 | Insecure bcrypt rounds | `const hash = await bcrypt.hash(pass, 1)` | `const hash = await bcrypt.hash(pass, 12)`<br>`...`<br>`const hash = await argon2.hash(pass)` | Node.js/NestJS | `CWE-327` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-018 insecure bcrypt rounds const hash await pass 1 12 argon2 -->
21
+ | NST-019 | XXE risk in xml2js parsing | `await parseStringPromise(xmlData)` | `await parseStringPromise(xmlData, { explicitCharkey: false })`<br>`...`<br>`// external entity processors disabled` | Node.js/NestJS | `CWE-611` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-019 xxe risk xml2js parsing await parsestringpromise xmldata explicitcharkey false external entity processors disabled -->
22
+ | NST-020 | Log Injection | `this.logger.log(userInput)` | `const safe = userInput.replace(/[\\r\\n]/g, "_")`<br>`this.logger.log(safe)` | Node.js/NestJS | `CWE-117` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-020 log injection this logger userinput const replace r n g -->
23
+ | NST-021 | CSV Injection in Node/NestJS export handlers (CWE-1236) | `rows.push([user.email, req.query.note])` и raw `res.send(rows.join("\\n"))` | При CSV-экспорте экранировать formula prefixes (`=,+,-,@`) и использовать CSV writer library с sanitizer. | Node.js/NestJS | CWE Final Certification | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
24
+ | NST-022 | Debug message disclosure in production exception filter (CWE-1295) | `response.status(500).json({ detail: exception.stack })` | Возвращать generic error message + incident id, stack trace оставлять только в restricted debug telemetry. | Node.js/NestJS | CWE Final Certification | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
25
+ | NST-023 | CSV export from untrusted DTO fields without normalization (CWE-1236) | `csv += dto.name + "," + dto.comment + "\\n"` | Нормализовать/санитизировать DTO поля перед CSV serializing и принудительно quoted output для untrusted cells. | Node.js/NestJS | CWE Final Certification | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. |
26
+ | NST-024 | `localStorage` с access/refresh токенами (CWE-312) | `localStorage.setItem("access_token", token)` | HttpOnly + Secure cookies или session storage с коротким TTL; не хранить bearer в Web Storage. | Node.js/Browser | `CWE-312` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-024 localstorage setitem access_token token guardian -->
27
+ | NST-025 | PII в `localStorage` как JSON (CWE-312) | `localStorage.setItem("profile", JSON.stringify({ ssn: user.ssn }))` | Серверные сессии + минимизация PII; шифрование на клиенте только при threat model. | Node.js/Browser | `CWE-312` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-025 localstorage profile json stringify ssn guardian -->
28
+ | NST-026 | Refresh token в `sessionStorage` без ротации (CWE-532) | `sessionStorage.setItem("refresh", refreshToken)` | BFF + HttpOnly cookie; rotation + bind к origin; не логировать storage в консоль. | Node.js/Browser | `CWE-532` | Validate data with Zod and sanitize DOM/HTML sinks with DOMPurify before rendering. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: nst-026 sessionstorage refresh token guardian -->
29
+ | NSX-101 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
30
+ | NSX-102 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
31
+ | NSX-103 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
32
+ | NSX-104 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
33
+ | NSX-105 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
34
+ | NSX-106 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
35
+ | NSX-107 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
36
+ | NSX-108 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
37
+ | NSX-109 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
38
+ | NSX-110 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
39
+ | NSX-111 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
40
+ | NSX-112 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
41
+ | NSX-113 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
42
+ | NSX-114 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
43
+ | NSX-115 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
44
+ | NSX-116 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
45
+ | NSX-117 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
46
+ | NSX-118 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
47
+ | NSX-119 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
48
+ | NSX-120 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
49
+ | NSX-121 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
50
+ | NSX-122 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
51
+ | NSX-123 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
52
+ | NSX-124 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
53
+ | NSX-125 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
54
+ | NSX-126 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
55
+ | NSX-127 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
56
+ | NSX-128 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
57
+ | NSX-129 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
58
+ | NSX-130 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
59
+ | NSX-131 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
60
+ | NSX-132 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
61
+ | NSX-133 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
62
+ | NSX-134 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
63
+ | NSX-135 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
64
+ | NSX-136 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
65
+ | NSX-137 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
66
+ | NSX-138 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
67
+ | NSX-139 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
68
+ | NSX-140 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
69
+ | NSX-141 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
70
+ | NSX-142 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
71
+ | NSX-143 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
72
+ | NSX-144 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
73
+ | NSX-145 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
74
+ | NSX-146 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
75
+ | NSX-147 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
76
+ | NSX-148 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
77
+ | NSX-149 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
78
+ | NSX-150 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
79
+ | NSX-151 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
80
+ | NSX-152 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
81
+ | NSX-153 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
82
+ | NSX-154 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
83
+ | NSX-155 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
84
+ | NSX-156 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
85
+ | NSX-157 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
86
+ | NSX-158 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
87
+ | NSX-159 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
88
+ | NSX-160 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
89
+ | NSX-161 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
90
+ | NSX-162 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
91
+ | NSX-163 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
92
+ | NSX-164 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
93
+ | NSX-165 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
94
+ | NSX-166 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
95
+ | NSX-167 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
96
+ | NSX-168 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
97
+ | NSX-169 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
98
+ | NSX-170 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
99
+ | NSX-171 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
100
+ | NSX-172 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
101
+ | NSX-173 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
102
+ | NSX-174 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
103
+ | NSX-175 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
104
+ | NSX-176 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
105
+ | NSX-177 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
106
+ | NSX-178 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
107
+ | NSX-179 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
108
+ | NSX-180 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
109
+ | NSX-181 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
110
+ | NSX-182 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
111
+ | NSX-183 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
112
+ | NSX-184 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
113
+ | NSX-185 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
114
+ | NSX-186 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
115
+ | NSX-187 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
116
+ | NSX-188 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
117
+ | NSX-189 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
118
+ | NSX-190 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
119
+ | NSX-191 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
120
+ | NSX-192 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
121
+ | NSX-193 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
122
+ | NSX-194 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
123
+ | NSX-195 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
124
+ | NSX-196 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
125
+ | NSX-197 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
126
+ | NSX-198 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
127
+ | NSX-199 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
128
+ | NSX-200 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
129
+ | NSX-201 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
130
+ | NSX-202 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
131
+ | NSX-203 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
132
+ | NSX-204 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
133
+ | NSX-205 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
134
+ | NSX-206 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
135
+ | NSX-207 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
136
+ | NSX-208 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
137
+ | NSX-209 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
138
+ | NSX-210 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
139
+ | NSX-211 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
140
+ | NSX-212 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
141
+ | NSX-213 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
142
+ | NSX-214 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
143
+ | NSX-215 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
144
+ | NSX-216 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
145
+ | NSX-217 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
146
+ | NSX-218 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
147
+ | NSX-219 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
148
+ | NSX-220 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
149
+ | NSX-221 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
150
+ | NSX-222 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
151
+ | NSX-223 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
152
+ | NSX-224 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
153
+ | NSX-225 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
154
+ | NSX-226 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
155
+ | NSX-227 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
156
+ | NSX-228 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
157
+ | NSX-229 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
158
+ | NSX-230 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
159
+ | NSX-231 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
160
+ | NSX-232 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
161
+ | NSX-233 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
162
+ | NSX-234 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
163
+ | NSX-235 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
164
+ | NSX-236 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
165
+ | NSX-237 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
166
+ | NSX-238 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
167
+ | NSX-239 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
168
+ | NSX-240 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
169
+ | NSX-241 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
170
+ | NSX-242 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
171
+ | NSX-243 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
172
+ | NSX-244 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
173
+ | NSX-245 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
174
+ | NSX-246 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
175
+ | NSX-247 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
176
+ | NSX-248 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
177
+ | NSX-249 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
178
+ | NSX-250 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
179
+ | NSX-251 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
180
+ | NSX-252 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
181
+ | NSX-253 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
182
+ | NSX-254 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
183
+ | NSX-255 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
184
+ | NSX-256 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
185
+ | NSX-257 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
186
+ | NSX-258 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
187
+ | NSX-259 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
188
+ | NSX-260 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
189
+ | NSX-261 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
190
+ | NSX-262 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
191
+ | NSX-263 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
192
+ | NSX-264 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
193
+ | NSX-265 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
194
+ | NSX-266 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
195
+ | NSX-267 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
196
+ | NSX-268 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
197
+ | NSX-269 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
198
+ | NSX-270 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
199
+ | NSX-271 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
200
+ | NSX-272 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
201
+ | NSX-273 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
202
+ | NSX-274 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
203
+ | NSX-275 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
204
+ | NSX-276 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
205
+ | NSX-277 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
206
+ | NSX-278 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
207
+ | NSX-279 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
208
+ | NSX-280 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
209
+ | NSX-281 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
210
+ | NSX-282 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
211
+ | NSX-283 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
212
+ | NSX-284 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
213
+ | NSX-285 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
214
+ | NSX-286 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
215
+ | NSX-287 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
216
+ | NSX-288 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
217
+ | NSX-289 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
218
+ | NSX-290 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
219
+ | NSX-291 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
220
+ | NSX-292 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
221
+ | NSX-293 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
222
+ | NSX-294 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
223
+ | NSX-295 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
224
+ | NSX-296 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
225
+ | NSX-297 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
226
+ | NSX-298 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
227
+ | NSX-299 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
228
+ | NSX-300 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
229
+ | NSX-301 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
230
+ | NSX-302 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
231
+ | NSX-303 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
232
+ | NSX-304 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
233
+ | NSX-305 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
234
+ | NSX-306 | NestJS prototype pollution via Object.assign on DTO | `Object.assign(entity, req.body)` | `Object.assign(entity, pick(req.body, ['displayName','timezone']))` | Node.js/NestJS | CWE-1321 | Autofix: replace direct assign with allowlisted key mapping. | Polluted prototype chain can alter application object behavior. |
235
+ | NSX-307 | Sandbox escape risk in vm module with untrusted code | `vm.runInNewContext(userScript, sandbox)` | `throw new Error('dynamic vm execution forbidden for untrusted input')` | Node.js/NestJS | CWE-94 | Autofix: block untrusted vm execution and move to fixed command dispatch. | Attacker-controlled script can escape context and execute host code. |
236
+ | NSX-308 | JWT verification without strict algorithm allowlist | `jwt.verify(token, secret)` | `jwt.verify(token, secret, { algorithms: ['HS256'], issuer: 'hexvibe' })` | Node.js/NestJS | CWE-347 | Autofix: enforce explicit algorithms issuer and audience checks. | Algorithm confusion weakens token authenticity guarantees. |
237
+ | NSX-309 | NestJS IDOR on route param (Logic: strong) | `return this.ordersRepo.findOneBy({ id: params.id })` | `return this.ordersRepo.findOneBy({ id: params.id, ownerId: user.id })` | Node.js/NestJS | CWE-639 | Autofix: bind object query to authenticated ownerId. | User can access arbitrary records by changing object identifier. |
238
+ | NSX-310 | NestJS mass assignment through plainToInstance | `const entity = plainToInstance(UserEntity, dto)` | `const entity = plainToInstance(UserEntity, pick(dto, ['displayName','phone']))` | Node.js/NestJS | CWE-915 | Autofix: map DTO into explicit allowlist fields before entity binding. | Extra attacker-controlled fields become persisted security attributes. |
239
+ | IFN-001 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
240
+ | IFN-002 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
241
+ | IFN-003 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
242
+ | IFN-004 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
243
+ | IFN-005 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
244
+ | IFN-006 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
245
+ | IFN-007 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
246
+ | IFN-008 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
247
+ | IFN-009 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
248
+ | IFN-010 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
249
+ | IFN-011 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
250
+ | IFN-012 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
251
+ | IFN-013 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
252
+ | IFN-014 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
253
+ | IFN-015 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
254
+ | IFN-016 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
255
+ | IFN-017 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
256
+ | IFN-018 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
257
+ | IFN-019 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
258
+ | IFN-020 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
259
+ | IFN-021 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
260
+ | IFN-022 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
261
+ | IFN-023 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
262
+ | IFN-024 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
263
+ | IFN-025 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
264
+ | IFN-026 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
265
+ | IFN-027 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
266
+ | IFN-028 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
267
+ | IFN-029 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
268
+ | IFN-030 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
269
+ | IFN-031 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
270
+ | IFN-032 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
271
+ | IFN-033 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
272
+ | IFN-034 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
273
+ | IFN-035 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
274
+ | IFN-036 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
275
+ | IFN-037 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
276
+ | IFN-038 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
277
+ | IFN-039 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
278
+ | IFN-040 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
279
+ | IFN-041 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
280
+ | IFN-042 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
281
+ | IFN-043 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
282
+ | IFN-044 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
283
+ | IFN-045 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
284
+ | IFN-046 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
285
+ | IFN-047 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
286
+ | IFN-048 | Node.js/NestJS: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Node.js/NestJS | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
287
+ | IFN-049 | Node.js/NestJS: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Node.js/NestJS | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
288
+ | IFN-050 | Node.js/NestJS: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Node.js/NestJS | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
package/dist/data/skills/nodejs-nestjs/skill.json ADDED
@@ -0,0 +1,24 @@
1
+ {
2
+ "skill_id": "nodejs-nestjs",
3
+ "name": "Node.js / NestJS Security",
4
+ "activation_triggers": [
5
+ "nst-nest-guard",
6
+ "nst-prisma-raw",
7
+ "nst-cors-policy",
8
+ "nst-xml-parser",
9
+ "nst-ssrf-fetch"
10
+ ],
11
+ "relevant_extensions": [
12
+ ".ts",
13
+ ".js",
14
+ ".json"
15
+ ],
16
+ "tools": [
17
+ "semgrep",
18
+ "syft",
19
+ "trufflehog"
20
+ ],
21
+ "rules_path": "core/skills/nodejs-nestjs/patterns.md",
22
+ "few_shot_examples": "core/gold-standard-testbed/nestjs_vulnerable.ts",
23
+ "security_priority": 5
24
+ }
package/dist/data/skills/observability/index.md ADDED
@@ -0,0 +1,68 @@
1
+ # Observability & Audit Logging
2
+
3
+ ## Stack overview
4
+
5
+ Structured logging, trace correlation, audit integrity, and security telemetry for Python services. Metrics are prefixed **`LOG`**.
6
+
7
+ ## Top threats
8
+
9
+ - Silent failures and missing correlation (`LOG-001`–`LOG-003`, `LOG-010`).
10
+ - PII/secrets in logs and verbose errors (`LOG-004`, `LOG-005`, `LOG-012`).
11
+ - Missing audit for admin and auth events (`LOG-006`, `LOG-007`, `LOG-014`).
12
+ - Log injection (`LOG-011`).
13
+
14
+ ## Pattern catalog
15
+
16
+ Complete Anti-Pattern / Safe-Pattern definitions live in [`patterns.md`](patterns.md). The table below is a **table of contents** by metric ID.
17
+
18
+ | ID | Metric | Stack |
19
+ |---|---|---|
20
+ | `LOG-001` | Silent Exception: `except Exception: pass` | `try:` ` await repo.save(event)` `except Exception:` ` logger.exception("audit-save-failed", extra={"event_type": event.type})` ` raise` |
21
+ | `LOG-002` | Missing Trace-ID в логах запроса | `trace_id = request.headers.get("x-trace-id") or str(uuid4())` `logger.info("request accepted", extra={"trace_id": trace_id, "path": request.url.path})` `response.headers["X-Trace-ID"] = trace_id` |
22
+ | `LOG-003` | Unstructured logs: текст без контекста безопасности | `logger.warning("auth_failed", extra={"trace_id": trace_id, "user": username, "ip": client_ip, "reason": "bad_credentials"})` |
23
+ | `LOG-004` | PII/secret leakage in logs | `safe = {"username": payload.get("username"), "mfa": payload.get("mfa")}` `logger.info("auth payload sanitized", extra={"trace_id": trace_id, "payload": safe})` |
24
+ | `LOG-005` | Verbose stack traces returned to API client | `except Exception:` ` logger.exception("unhandled error", extra={"trace_id": trace_id})` ` raise HTTPException(status_code=500, detail="internal server error")` |
25
+ | `LOG-006` | Missing audit events for role/permission changes | `@app.post("/admin/users/{uid}/role")` `async def set_role(uid: int, role: str, actor=Depends(current_user)):` ` await repo.set_role(uid, role)` ` await audit_log.write({"event": "role_change", "actor_id": actor.id, "target_user_id": uid, "new_role": role, "trace_id": trace_id})` |
26
+ | `LOG-007` | Missing failed-auth telemetry and lockout signals | `if not auth_ok:` ` await audit_log.write({"event": "auth_failed", "username": username, "ip": client_ip, "trace_id": trace_id})` ` await risk_counter.bump(f"auth:{username}:{client_ip}")` ` raise HTTPException(status_code=401, detail="invalid credentials")` |
27
+ | `LOG-008` | No request/response latency telemetry | `@app.middleware("http")` `async def m(request: Request, call_next):` ` started = time.perf_counter()` ` response = await call_next(request)` ` elapsed_ms = (time.perf_counter() - started) * 1000` ` logger.info("http_access", extra={"trace_id": request.state.trace_id, "path": request.url.path, "status": response.status_code, "latency_ms": round(elapsed_ms, 2)})` ` return response` |
28
+ | `LOG-009` | Logs without integrity controls/immutability for security events | `record = {"event": "payment_approved", "id": pid, "trace_id": trace_id, "ts": datetime.now(timezone.utc).isoformat()}` `record["sig"] = hmac_sha256(audit_signing_key, json.dumps(record, sort_keys=True))` `await append_only_audit_store.write(record)` |
29
+ | `LOG-010` | No centralized exception handler for sanitization and correlation | `@app.exception_handler(Exception)` `async def handle_exc(request: Request, exc: Exception):` ` trace_id = getattr(request.state, "trace_id", "n/a")` ` logger.exception("unhandled", extra={"trace_id": trace_id, "path": request.url.path})` ` return JSONResponse(status_code=500, content={"detail": "internal server error", "trace_id": trace_id})` |
30
+ | `LOG-011` | Log Injection Protection: CR/LF из пользовательских данных попадают в лог | `def sanitize_for_log(value: str) -> str:` ` return value.replace("\\r", "\\\\r").replace("\\n", "\\\\n")` `@app.get("/search")` `async def search(q: str):` ` safe_q = sanitize_for_log(q)` ` logger.info("search query=%s", safe_q)` ` return {"ok": True}` |
31
+ | `LOG-012` | Sensitive Data in Exception Context: логирование `locals()` в prod | `except Exception:` ` logger.exception("failed", extra={"trace_id": trace_id, "context": {"operation": "payment_create"}})` ` raise` `# production logger must not capture locals or full frame dumps` |
32
+ | `LOG-013` | Missing Security Heartbeat: нет периодических контрольных событий мониторинга | `async def security_heartbeat_task() -> None:` ` while True:` ` await audit_log.write({"event": "security_heartbeat", "service": "api", "status": "ok", "ts": datetime.now(timezone.utc).isoformat()})` ` await asyncio.sleep(60)` `@app.on_event("startup")` `async def start_heartbeat() -> None:` ` asyncio.create_task(security_heartbeat_task())` |
33
+ | `LOG-014` | High-Privilege Action Audit: админ-действия пишутся в обычный app log | `@app.post("/admin/users/{uid}/disable")` `async def disable_user(uid: int, actor=Depends(current_user)):` ` logger.info("admin action requested", extra={"trace_id": trace_id, "actor_id": actor.id})` ` await security_audit_log.write({"event": "admin_user_disable", "actor_id": actor.id, "target_user_id": uid, "trace_id": trace_id, "ts": datetime.now(timezone.utc).isoformat()})` |
34
+ | `LOG-015` | Системный лог: пароль в plaintext (`syslog`/journald) (CWE-312) | Structured logging + redaction filter для password fields. |
35
+ | `LOG-016` | Docker/k8s: `env` секреты в stdout контейнера (CWE-532) | Log scrubber sidecar; deny `print(environ)` in prod. |
36
+ | `LOG-017` | Windows Event Log: токен в `EventLog.WriteEntry` (CWE-312) | Token hash or presence flag only in EventLog. |
37
+ | `LOG-018` | `journalctl`/structured log с Bearer в поле message (CWE-532) | Redact `Authorization`/`Cookie` keys globally. |
38
+ | `LOG-019` | OpenTelemetry span: пароль в attributes (CWE-532) | OTel semantic conventions + scrubbing processor. |
39
+ | `LOG-020` | Избыточное логирование полного HTTP-тела ответа с PII (CWE-779) | Sampling + redaction; max body length 0 in prod logs. |
40
+
41
+ ## Verification
42
+
43
+ **Verification:** Check the gold testbed file(s) below for `Vulnerable: <ID>` markers (static Semgrep + `detection-matrix.md` ground truth).
44
+
45
+ - [`gold-standard-testbed/api_vulnerable.py`](../gold-standard-testbed/api_vulnerable.py)
46
+
47
+ **Optional HTTP integration tests** (pytest + httpx; require a running API, `HEXVIBE_TARGET_URL`): [`gold-standard-testbed/integration/verify_observability_poc.py`](../gold-standard-testbed/integration/verify_observability_poc.py). See [`gold-standard-testbed/integration/README.md`](../gold-standard-testbed/integration/README.md).
48
+
49
+ After changing [`patterns.md`](patterns.md), run from the repo root:
50
+
51
+ ```bash
52
+ python scripts/sync_semgrep.py
53
+ ```
54
+
55
+ ## Workflow: Recon → Scan → Verify
56
+
57
+ ### 1) Recon
58
+ - Map entrypoints, data flows, and trust boundaries for this stack.
59
+ - Identify which metrics in [`patterns.md`](patterns.md) apply to the code under review.
60
+
61
+ ### 2) Scan
62
+ - Run Semgrep with `semgrep-rules/<skill>.yaml` (generated) and correlate with Anti-Patterns.
63
+ - Eliminate findings that cannot bind to a metric row.
64
+
65
+ ### 3) Verify
66
+ - Confirm markers or scanner hits for touched IDs in the gold testbed when adding metrics.
67
+ - Emit findings as `Vulnerable: <PREFIX>-<NNN>` in written reviews.
68
+