Sttor Documentation

Appearance

Javascript Rules

SAST rules for Javascript that identify insecure patterns in application code.

Javascript Rule Catalog

IDTitleSeverityCategory
CODE-0358SQL Injection using Knex raw() or whereRaw() functionsCRITICALInjection
CODE-0359NoSQL Injection in findOne() functionCRITICALInjection
CODE-0360NoSQL JavaScript Injection via Untrusted Input in MongoDB $where OperatorCRITICALInjection
CODE-0361SQL Injection via Untrusted InputCRITICALInjection
CODE-0364Sequelize Weak TLS VersionCRITICALCrypto
CODE-0367Cleartext Transmission of Sensitive InformationCRITICALInsecureConfig
CODE-0370Origin validation errorCRITICALWeb
CODE-0371Experimental Features EnabledCRITICALInsecureConfig
CODE-0373User controlled data in eval() or similar functionsCRITICALInjection
CODE-0374Untrusted user input in require() functionCRITICALInjection
CODE-0375Insecure gRPC ConnectionCRITICALInsecureConfig
CODE-0376Deserialization of Untrusted DataCRITICALDeserialization
CODE-0377Code Injection via Untrusted Data in SandboxCRITICALInjection
CODE-0378Deserialization of Untrusted DataCRITICALDeserialization
CODE-0379Server Side Template InjectionCRITICALInjection
CODE-0380Code Injection via Untrusted Input to vm2CRITICALInjection
CODE-0381Untrusted user input reaching `vm2` sandbox can result in context injectionCRITICALInjection
CODE-0382Code Injection via Untrusted Input to `vm`CRITICALInjection
CODE-0383Untrusted user input in `vm.compileFunction()`CRITICALInjection
CODE-0384Untrusted user input in `vm.runInContext()`CRITICALInjection
CODE-0385Untrusted user input in `vm.runInNewContext()`CRITICALInjection
CODE-0386Deserialization of Untrusted DataCRITICALDeserialization
CODE-0387OS Command Injection via shelljs.exec()CRITICALInjection
CODE-0397HTTP Header InjectionCRITICALInjection
CODE-0402Hardcoded JWT SecretCRITICALSecrets
CODE-0405Hardcoded JWT SecretCRITICALSecrets
CODE-0407Insecure JWT AlgorithmCRITICALCrypto
CODE-0408Untrusted user input in redirect() can result in Open Redirect vulnerabilityCRITICALWeb
CODE-0409Untrusted user input in response header('Location') can result in Open Redirect vulnerabilityCRITICALWeb
CODE-0410Server-Side Request Forgery (SSRF)CRITICALInjection
CODE-0411Server-side request forgery (SSRF) via phantomCRITICALInjection
CODE-0412Server-side request forgery (SSRF) via PlaywrightCRITICALInjection
CODE-0413Server-side request forgery (SSRF) in puppeteerCRITICALInjection
CODE-0415Server-side request forgery (SSRF) in wkhtmltopdfCRITICALInjection
CODE-0423XML Entity Expansion VulnerabilityCRITICALInjection
CODE-0424XPath InjectionCRITICALInjection
CODE-0426XML External Entity (XXE) InjectionCRITICALInjection
CODE-0816XML External Entity (XXE) InjectionCRITICALInjection
CODE-0195Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')HIGHInjection
CODE-0198Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')HIGHInjection
CODE-0210CSRF Protection Disabled in Apollo GraphQL ServerHIGHWeb
CODE-0277Insecure CORS Policy in Apollo GraphQL ServerHIGHWeb
CODE-0285Permissive Cross-domain Policy with Untrusted DomainsHIGHWeb
CODE-0363Improper Certificate Validation in Sequelize ConnectionHIGHCrypto
CODE-0403Insufficiently protected credentialsHIGHAuth
CODE-0404Insufficiently protected credentialsHIGHSecrets
CODE-0406Insufficient token revocation in express-jwtHIGHAuth
CODE-0651Outdated ApolloServer option 'schemaDirectives'HIGHWeb
CODE-0654Apollo GraphQL Server Lacks CSRF PreventionHIGHWeb
CODE-0769Command Injection via Child ProcessHIGHInjection
CODE-0191Out-of-bounds read in Buffer API methodsMEDIUMInjection
CODE-0192Out-of-bounds write in Buffer APIMEDIUMInjection
CODE-0193Insecure Buffer AllocationMEDIUMInsecureConfig
CODE-0194Regular expression with non-literal valueMEDIUMInjection
CODE-0196Improper limitation of a pathname to a restricted directory ('Path Traversal')MEDIUMInjection
CODE-0197Use of cryptographically weak pseudo-random number generator (PRNG)MEDIUMCrypto
CODE-0200Observable Timing DiscrepancyMEDIUMCrypto
CODE-0201Markup Escaping DisabledMEDIUMInjection
CODE-0223Permissive Cross-domain Policy with Untrusted DomainsMEDIUMWeb
CODE-0256Insecure SSL configuration in node-libcurlMEDIUMInsecureConfig
CODE-0276Missing CORS Policy in Apollo GraphQL ServerMEDIUMWeb
CODE-0284Missing CORS Policy in Apollo GraphQL ServerMEDIUMWeb
CODE-0350Use of a broken or risky cryptographic algorithmMEDIUMCrypto
CODE-0351AES Algorithm Used Without Initialization VectorMEDIUMCrypto
CODE-0352Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)MEDIUMCrypto
CODE-0353Use of weak hashMEDIUMCrypto
CODE-0354Use of weak hashMEDIUMCrypto
CODE-0355Observable timing discrepancyMEDIUMCrypto
CODE-0356Improper Certificate ValidationMEDIUMCrypto
CODE-0357Use of Weak Cryptographic AlgorithmMEDIUMCrypto
CODE-0362Cleartext transmission of sensitive informationMEDIUMInsecureConfig
CODE-0365Layer 7 Denial of Service via Unchecked Input for Loop ConditionMEDIUMInsecureConfig
CODE-0366Regular Expression Denial of ServiceMEDIUMInjection
CODE-0368Experimental Blink Features EnabledMEDIUMInsecureConfig
CODE-0369Disabling Context Isolation in ElectronMEDIUMInsecureConfig
CODE-0372Node Integration ExposureMEDIUMInsecureConfig
CODE-0388Default Session Cookie NameMEDIUMAuth
CODE-0389Insufficiently protected credentials: session cookie domain not setMEDIUMAuth
CODE-0390Sensitive cookie without 'HttpOnly' flagMEDIUMWeb
CODE-0391Insufficient Session ExpirationMEDIUMAuth
CODE-0392Insufficiently protected credentials: session cookie path not setMEDIUMAuth
CODE-0393Sensitive cookie with improper SameSite attributeMEDIUMWeb
CODE-0394Sensitive cookie in HTTPS session without 'Secure' attributeMEDIUMAuth
CODE-0395Insecure CORS ConfigurationMEDIUMWeb
CODE-0396Origin validation errorMEDIUMWeb
CODE-0398X-XSS-Protection Header Set to 0MEDIUMWeb
CODE-0399X-XSS-Protection header is set to 0MEDIUMWeb
CODE-0400Helmet Security Response Header DisabledMEDIUMWeb
CODE-0401Host Header InjectionMEDIUMInjection
CODE-0414Server-side request forgery (SSRF) in wkhtmltoimageMEDIUMInjection
CODE-0416Insecure ZIP Archive ExtractionMEDIUMInjection
CODE-0417Untrusted user input in express render() functionMEDIUMInjection
CODE-0418Untrusted user input in express render() functionMEDIUMInjection
CODE-0419Untrusted user input in readFile()/readFileSync() can lead to directory traversal attacksMEDIUMInjection
CODE-0420Path Traversal via User Input in Path ConstructionMEDIUMInjection
CODE-0421Insecure TAR Archive ExtractionMEDIUMInjection
CODE-0422Insecure ZIP Archive ExtractionMEDIUMInjection
CODE-0427Cross-Site Scripting (XSS) via Unvalidated User InputMEDIUMWeb
CODE-0428Insecure Handlebars ConfigurationMEDIUMWeb
CODE-0429Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)MEDIUMInjection
CODE-0430Cross-site Scripting (XSS) due to improper neutralization of input during web page generationMEDIUMWeb
CODE-0431Markup Escaping DisabledMEDIUMInjection
CODE-0432Cross-Site Scripting (XSS) via serialize-javascriptMEDIUMInjection
CODE-0808Insecure Use of GraphQL UploadMEDIUMWeb
CODE-0199Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')LOWInjection

Total Rules: 105

Click on any rule ID to view detailed information, examples, and remediation guidance.

Copyright © 2026 Sttor