reyesreg / react-todo Goto Github PK

• Name: TCP timestamps
• ID: 200f38c717e9d4226795f63e5eca55e1
• Affected Hosts: ['185.199.108.153']
• Description: It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1387470782
Packet 2: 395967527

• First seen: 2018-07-19 02:29:51
• Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/200f38c717e9d4226795f63e5eca55e1

• Name: Buffer Underflow
• ID: acc257292429103d63425cd0db631aa9
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/acc257292429103d63425cd0db631aa9

• Name: Buffer Underflow
• ID: ca239bb7fb446b1d84e82daff0d30075
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/ca239bb7fb446b1d84e82daff0d30075

Risk: Critical

Code

https://github.com/reyesreg/react-todo/blob/89aa7360990ded17a76364355a35df86d7eee9dc/dist/bundle.js#L22214

Description

When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While this is sometimes intentional, it often is a mistake which leads to unexpected behavior.

Noncompliant Code Example

switch (myVariable) {
  case 1:
    foo();
    break;
  case 2:  // Both 'doSomething()' and 'doSomethingElse()' will be executed. Is it on purpose ?
    doSomething();
  default:
    doSomethingElse();
    break;
}

Compliant Solution

switch (myVariable) {
  case 1:
    foo();
    break;
  case 2:
    doSomething();
    break;
  default:
    doSomethingElse();
    break;
}

Exceptions

This rule is relaxed in the following cases:

switch (myVariable) {
  case 0:                                // Empty case used to specify the same behavior for a group of cases.
  case 1:
    doSomething();
    break;
  case 2:                                // Use of return statement
    return;
  case 3:                               // Ends with comment when fall-through is intentional
    console.log("this case falls through")
    // fall through
  case 4:                                // Use of throw statement
    throw new IllegalStateException();
  case 5:                                // Use of continue statement
    continue;
  default:                               // For the last case, use of break statement is optional
    doSomethingElse();
}

See

• MISRA C:2004, 15.0 - The MISRA C switch syntax shall be used.
• MISRA C:2004, 15.2 - An unconditional break statement shall terminate every non-empty switch clause
• MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement.
• MISRA C++:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause
• MISRA C:2012, 16.1 - All switch statements shall be well-formed
• MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause
• MITRE, CWE-484 - Omitted Break Statement in Switch
• CERT, MSC17-C. - Finish every set of statements associated with a case label with a break statement
• CERT, MSC18-CPP. - Finish every set of statements associated with a case label with a break statement
• CERT, MSC52-J. - Finish every set of statements associated with a case label with a break statement

Recommendation

End this switch case with an unconditional break, continue, return or throw statement.

Horangi detected this issue on 2018-09-14 07:16:36

• Name: X-Frame-Options Header Not Set
• ID: b992403d37f436710b1a6f71d005369e
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-05-21 04:26:03
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/b992403d37f436710b1a6f71d005369e

• Name: X-Frame-Options Header Not Set
• ID: b992403d37f436710b1a6f71d005369e
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-05-21 04:26:03
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/b992403d37f436710b1a6f71d005369e

• Name: TCP timestamps
• ID: 200f38c717e9d4226795f63e5eca55e1
• Affected Hosts: ['185.199.108.153']
• Description: It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1387470782
Packet 2: 395967527

• First seen: 2018-07-19 02:29:51
• Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/200f38c717e9d4226795f63e5eca55e1

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: Buffer Underflow
• ID: 1a107188f7763674ba713f7cc10bece0
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/1a107188f7763674ba713f7cc10bece0

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: Incomplete or No Cache-control and Pragma HTTP Header Set
• ID: 43464f832990755a31f0e703312c6fa7
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
• First seen: 2018-05-21 04:26:03
• Recommendation: Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/43464f832990755a31f0e703312c6fa7

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: Buffer Underflow
• ID: VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=

• Name: X-Frame-Options Header Not Set
• ID: b992403d37f436710b1a6f71d005369e
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-05-21 04:26:03
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/b992403d37f436710b1a6f71d005369e

• Name: Buffer Underflow
• ID: 994f7a16cbbacd352079e0a2f75b2140
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/994f7a16cbbacd352079e0a2f75b2140

• Name: TCP timestamps
• ID: 200f38c717e9d4226795f63e5eca55e1
• Affected Hosts: ['185.199.108.153']
• Description: It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1387470782
Packet 2: 395967527

• First seen: 2018-07-19 02:29:51
• Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/200f38c717e9d4226795f63e5eca55e1

Risk: high

Description

In the absence of enclosing curly braces, the line immediately after a
conditional is the one that is conditionally executed. By both convention and
good practice, such lines are indented. In the absence of both curly braces
and indentation the intent of the original programmer is entirely unclear and
perhaps not actually what is executed. Additionally, such code is highly
likely to be confusing to maintainers.

Noncompliant Code Example

if (condition)  // Noncompliant
doTheThing();

doTheOtherThing();
somethingElseEntirely();

foo();

Compliant Solution

if (condition)
  doTheThing();

doTheOtherThing();
somethingElseEntirely();

foo();

Recommendation

Use curly braces or indentation to denote the code conditionally executed by this "else".

Code

Link : https://gitlab.com/reyesreg/react-todo/blob/89aa7360990ded17a76364355a35df86d7eee9dc/dist/bundle.js#L520

Author: [email protected]

Horangi detected this issue on 2019-04-12 10:15:16.511664

• Name: Buffer Underflow
• ID: VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=

• Name: X-Frame-Options Header Not Set
• ID: b992403d37f436710b1a6f71d005369e
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-05-21 04:26:03
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/b992403d37f436710b1a6f71d005369e

• Name: Web Browser XSS Protection Not Enabled
• ID: d6142164ed3fac6b2f88cf43ad839522
• Affected Hosts: ['https://kolyaak.github.io/sitemap.xml']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-11 06:51:22
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/d6142164ed3fac6b2f88cf43ad839522

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: Buffer Underflow
• ID: f9106f43d6fe255af6b60456e4da0b8c
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/f9106f43d6fe255af6b60456e4da0b8c

• Name: X-Frame-Options Header Not Set
• ID: b992403d37f436710b1a6f71d005369e
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-05-21 04:26:03
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/b992403d37f436710b1a6f71d005369e

• Name: Buffer Underflow
• ID: VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=

• Name: X-Content-Type-Options Header Missing
• ID: 4819378998ca1b1d2729cc3d7f9be02f
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
• First seen: 2018-05-21 04:26:03
• Recommendation: Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
  If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/cfed6f7d-a719-455b-8342-3bd51ab36650/4819378998ca1b1d2729cc3d7f9be02f

• Name: Buffer Underflow
• ID: VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/VnVsbmVyYWJpbGl0eTpjMjQzYzdiYy00ZGUyLTQxNTYtYTEzNS04YjVkYmQ2ZGY0YjI6YmM2ODM5OTY3ZWJmNDYzZDM0ZDFkODFhZjI0NjM2MmI=

• Name: Buffer Underflow
• ID: 1a107188f7763674ba713f7cc10bece0
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/1a107188f7763674ba713f7cc10bece0

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: Buffer Underflow
• ID: f9106f43d6fe255af6b60456e4da0b8c
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/f9106f43d6fe255af6b60456e4da0b8c

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: SQL Injection
• ID: 212870b8812d08025618e971ca43bccd
• Affected Hosts: ['http://testphp.vulnweb.com/listproducts.php?artist=4-2']
• Description: SQL injection may be possible.
• First seen: 2018-06-08 09:27:40
• Recommendation: Do not trust client side input, even if there is client side validation in place.
  In general, type check all data on the server side.
  If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
  If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
  If database Stored Procedures can be used, use them.
  Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
  Do not create dynamic SQL queries using simple string concatenation.
  Escape all data received from the client.
  Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.
  Apply the principle of least privilege by using the least privileged database user possible.
  In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
  Grant the minimum database access that is necessary for the application.
• Source Link: https://staging.horangi.com/storyfier/detect/f67ba203-0e81-4164-a8d1-633d7e74c1a7/212870b8812d08025618e971ca43bccd