mobbdev 0.0.170 → 0.0.171
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.mjs +57 -3
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -122,6 +122,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
|
|
|
122
122
|
IssueType_Enum2["ErroneousStringCompare"] = "ERRONEOUS_STRING_COMPARE";
|
|
123
123
|
IssueType_Enum2["ErrorCondtionWithoutAction"] = "ERROR_CONDTION_WITHOUT_ACTION";
|
|
124
124
|
IssueType_Enum2["GraphqlDepthLimit"] = "GRAPHQL_DEPTH_LIMIT";
|
|
125
|
+
IssueType_Enum2["HardcodedDomainInHtml"] = "HARDCODED_DOMAIN_IN_HTML";
|
|
125
126
|
IssueType_Enum2["HardcodedSecrets"] = "HARDCODED_SECRETS";
|
|
126
127
|
IssueType_Enum2["HeaderManipulation"] = "HEADER_MANIPULATION";
|
|
127
128
|
IssueType_Enum2["HtmlCommentInJsp"] = "HTML_COMMENT_IN_JSP";
|
|
@@ -144,6 +145,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
|
|
|
144
145
|
IssueType_Enum2["LogForging"] = "LOG_FORGING";
|
|
145
146
|
IssueType_Enum2["MissingAntiforgeryValidation"] = "MISSING_ANTIFORGERY_VALIDATION";
|
|
146
147
|
IssueType_Enum2["MissingCheckAgainstNull"] = "MISSING_CHECK_AGAINST_NULL";
|
|
148
|
+
IssueType_Enum2["MissingCspHeader"] = "MISSING_CSP_HEADER";
|
|
147
149
|
IssueType_Enum2["MissingEqualsOrHashcode"] = "MISSING_EQUALS_OR_HASHCODE";
|
|
148
150
|
IssueType_Enum2["MissingHstsHeader"] = "MISSING_HSTS_HEADER";
|
|
149
151
|
IssueType_Enum2["NonFinalPublicStaticField"] = "NON_FINAL_PUBLIC_STATIC_FIELD";
|
|
@@ -1539,7 +1541,9 @@ var fixDetailsData = {
|
|
|
1539
1541
|
["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: {
|
|
1540
1542
|
issueDescription: "The lack of a rate limit can allow denial-of-service attacks, in which an attacker can cause the application to crash or become unresponsive by issuing a large number of requests simultaneously.",
|
|
1541
1543
|
fixInstructions: "Use express-rate-limit npm package to set a rate limit."
|
|
1542
|
-
}
|
|
1544
|
+
},
|
|
1545
|
+
["MISSING_CSP_HEADER" /* MissingCspHeader */]: void 0,
|
|
1546
|
+
["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: void 0
|
|
1543
1547
|
};
|
|
1544
1548
|
|
|
1545
1549
|
// src/features/analysis/scm/shared/src/getIssueType.ts
|
|
@@ -1615,7 +1619,9 @@ var issueTypeMap = {
|
|
|
1615
1619
|
["POOR_ERROR_HANDLING_EMPTY_CATCH_BLOCK" /* PoorErrorHandlingEmptyCatchBlock */]: "Poor Error Handling: Empty Catch Block",
|
|
1616
1620
|
["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: "Erroneous String Compare",
|
|
1617
1621
|
["UNVALIDATED_PUBLIC_METHOD_ARGUMENT" /* UnvalidatedPublicMethodArgument */]: "Unvalidated Public Method Argument",
|
|
1618
|
-
["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: "Auto-escape False"
|
|
1622
|
+
["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: "Auto-escape False",
|
|
1623
|
+
["MISSING_CSP_HEADER" /* MissingCspHeader */]: "Missing CSP Header",
|
|
1624
|
+
["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: "Hardcoded Domain in HTML"
|
|
1619
1625
|
};
|
|
1620
1626
|
var issueTypeZ = z4.nativeEnum(IssueType_Enum);
|
|
1621
1627
|
var getIssueTypeFriendlyString = (issueType) => {
|
|
@@ -2613,6 +2619,15 @@ Make sure to pick a value large enough to allowed the nessecary amount of nested
|
|
|
2613
2619
|
}
|
|
2614
2620
|
};
|
|
2615
2621
|
|
|
2622
|
+
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
|
|
2623
|
+
var hardcodedDomainInHtml = {
|
|
2624
|
+
isCDNFixedVersion: {
|
|
2625
|
+
content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
|
|
2626
|
+
description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
|
|
2627
|
+
guidance: () => ""
|
|
2628
|
+
}
|
|
2629
|
+
};
|
|
2630
|
+
|
|
2616
2631
|
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
|
|
2617
2632
|
var hardcodedSecrets2 = {
|
|
2618
2633
|
envVarName: {
|
|
@@ -2679,6 +2694,43 @@ var logForging3 = {
|
|
|
2679
2694
|
}
|
|
2680
2695
|
};
|
|
2681
2696
|
|
|
2697
|
+
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
|
|
2698
|
+
var cspHeaderValue = {
|
|
2699
|
+
cspHeaderValue: {
|
|
2700
|
+
content: () => "Please provide the value for the Content-Security-Policy header",
|
|
2701
|
+
description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
|
|
2702
|
+
|
|
2703
|
+
|
|
2704
|
+
|
|
2705
|
+
**What it does**:
|
|
2706
|
+
|
|
2707
|
+
|
|
2708
|
+
|
|
2709
|
+
CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
|
|
2710
|
+
|
|
2711
|
+
|
|
2712
|
+
|
|
2713
|
+
- Which scripts can execute.
|
|
2714
|
+
- Where images can be loaded from.
|
|
2715
|
+
- Which styles can be applied.
|
|
2716
|
+
- Which forms can be submitted to.
|
|
2717
|
+
- What domains can be connected to.
|
|
2718
|
+
|
|
2719
|
+
Default value explanation:
|
|
2720
|
+
|
|
2721
|
+
- default-src 'self: Only allows resources from the same origin by default.
|
|
2722
|
+
- script-src 'self': Only allows scripts to be loaded from the same origin.
|
|
2723
|
+
- style-src 'self': Only allows styles from the same origin.
|
|
2724
|
+
- object-src 'none': Disallows <object>, <embed>, and <applet> elements.
|
|
2725
|
+
- base-uri 'self': Restricts where the <base> tag can point to.
|
|
2726
|
+
- frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
|
|
2727
|
+
|
|
2728
|
+
|
|
2729
|
+
**This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
|
|
2730
|
+
guidance: () => ``
|
|
2731
|
+
}
|
|
2732
|
+
};
|
|
2733
|
+
|
|
2682
2734
|
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
|
|
2683
2735
|
var headerMaxAge = {
|
|
2684
2736
|
headerMaxAge: {
|
|
@@ -2833,7 +2885,9 @@ var vulnerabilities9 = {
|
|
|
2833
2885
|
["HARDCODED_SECRETS" /* HardcodedSecrets */]: hardcodedSecrets2,
|
|
2834
2886
|
["MISSING_HSTS_HEADER" /* MissingHstsHeader */]: headerMaxAge,
|
|
2835
2887
|
["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition2,
|
|
2836
|
-
["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling2
|
|
2888
|
+
["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling2,
|
|
2889
|
+
["MISSING_CSP_HEADER" /* MissingCspHeader */]: cspHeaderValue,
|
|
2890
|
+
["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml
|
|
2837
2891
|
};
|
|
2838
2892
|
var js_default = vulnerabilities9;
|
|
2839
2893
|
|