Code Security Report: 11 high severity findings, 16 total findings [master]

[mend-developer-platform-dev]

Code Security Report

Scan Metadata

Latest Scan: 2025-09-17 08:32AM
Total Findings: 16 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 50
Detected Programming Languages: 1 (JavaScript / TypeScript*)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention.

Severity	Vulnerability Type	CWE	File	Data Flows	Detected	Violated Workflows	Violation Priority	Violation SLA
High	Code Injection	CWE-94	contributions.js:32	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/contributions.js Lines 28 to 37 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { /*jslint evil: true */ // Insecure use of eval() to parse inputs const preTax = eval(req.body.preTax); const afterTax = eval(req.body.afterTax); const roth = eval(req.body.roth); /* //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval Data Flows (1 detected) NodeGoat/app/routes/index.js Line 54 in 83624e1 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); NodeGoat/app/routes/contributions.js Line 28 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { NodeGoat/app/routes/contributions.js Line 32 in 83624e1 const preTax = eval(req.body.preTax); NodeGoat/app/routes/index.js Line 54 in 83624e1 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); NodeGoat/app/routes/contributions.js Line 28 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { NodeGoat/app/routes/contributions.js Line 32 in 83624e1 const preTax = eval(req.body.preTax); Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Code Injection Training 📺 Videos Secure Code Warrior Code Injection Video 📚 Further Reading OWASP Command Injection
High	Code Injection	CWE-94	contributions.js:33	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/contributions.js Lines 29 to 38 in 83624e1 /*jslint evil: true */ // Insecure use of eval() to parse inputs const preTax = eval(req.body.preTax); const afterTax = eval(req.body.afterTax); const roth = eval(req.body.roth); /* //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval const preTax = parseInt(req.body.preTax); Data Flows (1 detected) NodeGoat/app/routes/index.js Line 54 in 83624e1 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); NodeGoat/app/routes/contributions.js Line 28 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { NodeGoat/app/routes/contributions.js Line 33 in 83624e1 const afterTax = eval(req.body.afterTax); NodeGoat/app/routes/index.js Line 54 in 83624e1 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); NodeGoat/app/routes/contributions.js Line 28 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { NodeGoat/app/routes/contributions.js Line 33 in 83624e1 const afterTax = eval(req.body.afterTax); Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Code Injection Training 📺 Videos Secure Code Warrior Code Injection Video 📚 Further Reading OWASP Command Injection
High	Code Injection	CWE-94	contributions.js:34	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/contributions.js Lines 30 to 39 in 83624e1 /*jslint evil: true */ // Insecure use of eval() to parse inputs const preTax = eval(req.body.preTax); const afterTax = eval(req.body.afterTax); const roth = eval(req.body.roth); /* //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval const preTax = parseInt(req.body.preTax); const afterTax = parseInt(req.body.afterTax); Data Flows (1 detected) NodeGoat/app/routes/index.js Line 54 in 83624e1 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); NodeGoat/app/routes/contributions.js Line 28 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { NodeGoat/app/routes/contributions.js Line 34 in 83624e1 const roth = eval(req.body.roth); NodeGoat/app/routes/index.js Line 54 in 83624e1 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); NodeGoat/app/routes/contributions.js Line 28 in 83624e1 this.handleContributionsUpdate = (req, res, next) => { NodeGoat/app/routes/contributions.js Line 34 in 83624e1 const roth = eval(req.body.roth); Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Code Injection Training 📺 Videos Secure Code Warrior Code Injection Video 📚 Further Reading OWASP Command Injection
High	Code Injection	CWE-94	error.js:10	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/error.js Lines 6 to 15 in 83624e1 console.error(err.message); console.error(err.stack); res.status(500); res.render("error-template", { error: err }); }; module.exports = { errorHandler }; Data Flows (1 detected) NodeGoat/app/routes/index.js Line 97 in 83624e1 app.use(ErrorHandler); NodeGoat/app/routes/error.js Line 3 in 83624e1 const errorHandler = (err, req, res,next) => { NodeGoat/app/routes/error.js Line 11 in 83624e1 error: err NodeGoat/app/routes/error.js Line 10 in 83624e1 res.render("error-template", { NodeGoat/app/routes/index.js Line 97 in 83624e1 app.use(ErrorHandler); NodeGoat/app/routes/error.js Line 3 in 83624e1 const errorHandler = (err, req, res,next) => { NodeGoat/app/routes/error.js Line 11 in 83624e1 error: err NodeGoat/app/routes/error.js Line 10 in 83624e1 res.render("error-template", { Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Code Injection Training 📺 Videos Secure Code Warrior Code Injection Video 📚 Further Reading OWASP Command Injection
High	Code Injection	CWE-94	profile.js:65	7	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/profile.js Lines 61 to 70 in 83624e1 const testComplyWithRequirements = regexPattern.test(bankRouting); // if the regex test fails we do not allow saving if (testComplyWithRequirements !== true) { const firstNameSafeString = firstName return res.render("profile", { updateError: "Bank Routing number does not comply with requirements for format specified", firstNameSafeString, lastName, ssn, dob, Data Flows (7 detected) Data Flow #1 NodeGoat/app/routes/index.js Line 50 in 83624e1 app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); NodeGoat/app/routes/profile.js Line 40 in 83624e1 this.handleProfileUpdate = (req, res, next) => { NodeGoat/app/routes/profile.js Line 47 in 83624e1 address, NodeGoat/app/routes/profile.js Line 71 in 83624e1 address, NodeGoat/app/routes/profile.js Line 65 in 83624e1 return res.render("profile", { Data Flow #2 NodeGoat/app/routes/index.js Line 50 in 83624e1 app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); NodeGoat/app/routes/profile.js Line 40 in 83624e1 this.handleProfileUpdate = (req, res, next) => { NodeGoat/app/routes/profile.js Line 48 in 83624e1 bankAcc, NodeGoat/app/routes/profile.js Line 72 in 83624e1 bankAcc, NodeGoat/app/routes/profile.js Line 65 in 83624e1 return res.render("profile", { Data Flow #3 NodeGoat/app/routes/index.js Line 50 in 83624e1 app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); NodeGoat/app/routes/profile.js Line 40 in 83624e1 this.handleProfileUpdate = (req, res, next) => { NodeGoat/app/routes/profile.js Line 49 in 83624e1 bankRouting NodeGoat/app/routes/profile.js Line 73 in 83624e1 bankRouting, NodeGoat/app/routes/profile.js Line 65 in 83624e1 return res.render("profile", { View more Data Flows Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Code Injection Training 📺 Videos Secure Code Warrior Code Injection Video 📚 Further Reading OWASP Command Injection
High	Path/Directory Traversal	CWE-22	index.js:88	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/index.js Lines 84 to 93 in 83624e1 app.get("/tutorial/:page", (req, res) => { const { page } = req.params return res.render(`tutorial/${page}`, { environmentalScripts }); }); // Research Page Data Flows (1 detected) NodeGoat/app/routes/index.js Line 84 in 83624e1 app.get("/tutorial/:page", (req, res) => { NodeGoat/app/routes/index.js Line 86 in 83624e1 page NodeGoat/app/routes/index.js Line 88 in 83624e1 return res.render(`tutorial/${page}`, { NodeGoat/app/routes/index.js Line 84 in 83624e1 app.get("/tutorial/:page", (req, res) => { NodeGoat/app/routes/index.js Line 86 in 83624e1 page NodeGoat/app/routes/index.js Line 88 in 83624e1 return res.render(`tutorial/${page}`, { Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Path/Directory Traversal Training 📺 Videos Secure Code Warrior Path/Directory Traversal Video 📚 Further Reading OWASP Input Validation Cheat Sheet OWASP Path Traversal
High	NoSQL Injection	CWE-943	memos-dao.js:23	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/data/memos-dao.js Lines 19 to 28 in 83624e1 memo, timestamp: new Date() }; memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); }; this.getAllMemos = (callback) => { memosCol.find({}).sort({ Data Flows (1 detected) NodeGoat/app/routes/index.js Line 69 in 83624e1 app.post("/memos", isLoggedIn, memosHandler.addMemos); NodeGoat/app/routes/memos.js Line 11 in 83624e1 this.addMemos = (req, res, next) => { NodeGoat/app/routes/memos.js Line 13 in 83624e1 memosDAO.insert(req.body.memo, (err, docs) => { NodeGoat/app/data/memos-dao.js Line 15 in 83624e1 this.insert = (memo, callback) => { NodeGoat/app/data/memos-dao.js Line 19 in 83624e1 memo, NodeGoat/app/data/memos-dao.js Line 23 in 83624e1 memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); NodeGoat/app/routes/index.js Line 69 in 83624e1 app.post("/memos", isLoggedIn, memosHandler.addMemos); NodeGoat/app/routes/memos.js Line 11 in 83624e1 this.addMemos = (req, res, next) => { NodeGoat/app/routes/memos.js Line 13 in 83624e1 memosDAO.insert(req.body.memo, (err, docs) => { NodeGoat/app/data/memos-dao.js Line 15 in 83624e1 this.insert = (memo, callback) => { NodeGoat/app/data/memos-dao.js Line 19 in 83624e1 memo, NodeGoat/app/data/memos-dao.js Line 23 in 83624e1 memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); Secure Code Warrior Training Material 🎓 Training Secure Code Warrior NoSQL Injection Training 📺 Videos Secure Code Warrior NoSQL Injection Video
High	NoSQL Injection	CWE-943	user-dao.js:91	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/data/user-dao.js Lines 87 to 96 in 83624e1 callback(noSuchUserError, null); } } usersCol.findOne({ userName: userName }, validateUserDoc); }; // This is the good one, see the next function Data Flows (1 detected) NodeGoat/app/routes/index.js Line 36 in 83624e1 app.post("/login", sessionHandler.handleLoginRequest); NodeGoat/app/routes/session.js Line 51 in 83624e1 this.handleLoginRequest = (req, res, next) => { NodeGoat/app/routes/session.js Line 53 in 83624e1 userName, NodeGoat/app/routes/session.js Line 56 in 83624e1 userDAO.validateLogin(userName, password, (err, user) => { NodeGoat/app/data/user-dao.js Line 57 in 83624e1 this.validateLogin = (userName, password, callback) => { NodeGoat/app/data/user-dao.js Line 92 in 83624e1 userName: userName NodeGoat/app/data/user-dao.js Line 91 in 83624e1 usersCol.findOne({ NodeGoat/app/routes/index.js Line 36 in 83624e1 app.post("/login", sessionHandler.handleLoginRequest); NodeGoat/app/routes/session.js Line 51 in 83624e1 this.handleLoginRequest = (req, res, next) => { NodeGoat/app/routes/session.js Line 53 in 83624e1 userName, NodeGoat/app/routes/session.js Line 56 in 83624e1 userDAO.validateLogin(userName, password, (err, user) => { NodeGoat/app/data/user-dao.js Line 57 in 83624e1 this.validateLogin = (userName, password, callback) => { NodeGoat/app/data/user-dao.js Line 92 in 83624e1 userName: userName NodeGoat/app/data/user-dao.js Line 91 in 83624e1 usersCol.findOne({ Secure Code Warrior Training Material 🎓 Training Secure Code Warrior NoSQL Injection Training 📺 Videos Secure Code Warrior NoSQL Injection Video
High	Server Side Request Forgery	CWE-918	research.js:16	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/routes/research.js Lines 12 to 21 in 83624e1 this.displayResearch = (req, res) => { if (req.query.symbol) { const url = req.query.url + req.query.symbol; return needle.get(url, (error, newResponse, body) => { if (!error && newResponse.statusCode === 200) { res.writeHead(200, { "Content-Type": "text/html" }); } Data Flows (1 detected) NodeGoat/app/routes/index.js Line 94 in 83624e1 app.get("/research", isLoggedIn, researchHandler.displayResearch); NodeGoat/app/routes/research.js Line 12 in 83624e1 this.displayResearch = (req, res) => { NodeGoat/app/routes/research.js Line 15 in 83624e1 const url = req.query.url + req.query.symbol; NodeGoat/app/routes/research.js Line 16 in 83624e1 return needle.get(url, (error, newResponse, body) => { NodeGoat/app/routes/index.js Line 94 in 83624e1 app.get("/research", isLoggedIn, researchHandler.displayResearch); NodeGoat/app/routes/research.js Line 12 in 83624e1 this.displayResearch = (req, res) => { NodeGoat/app/routes/research.js Line 15 in 83624e1 const url = req.query.url + req.query.symbol; NodeGoat/app/routes/research.js Line 16 in 83624e1 return needle.get(url, (error, newResponse, body) => { Secure Code Warrior Training Material 🎓 Training Secure Code Warrior Server Side Request Forgery Training 📺 Videos Secure Code Warrior Server Side Request Forgery Video
High	NoSQL Injection	CWE-943	allocations-dao.js:86	1	2025-09-17 08:32AM	Code Test	HIGH	2025-10-17
Vulnerable Code NodeGoat/app/data/allocations-dao.js Lines 82 to 91 in 83624e1 userId: parsedUserId }; } allocationsCol.find(searchCriteria()).toArray((err, allocations) => { if (err) return callback(err, null); if (!allocations.length) return callback("ERROR: No allocations found for the user", null); let doneCounter = 0; const userAllocations = []; Data Flows (1 detected) NodeGoat/app/routes/index.js Line 65 in 83624e1 app.get("/allocations/:userId", isLoggedIn, allocationsHandler.displayAllocations); NodeGoat/app/routes/allocations.js Line 11 in 83624e1 this.displayAllocations = (req, res, next) => { NodeGoat/app/routes/allocations.js Line 20 in 83624e1 threshold NodeGoat/app/routes/allocations.js Line 23 in 83624e1 allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => { NodeGoat/app/data/allocations-dao.js Line 57 in 83624e1 this.getByUserIdAndThreshold = (userId, threshold, callback) => { NodeGoat/app/data/allocations-dao.js Line 86 in 83624e1 allocationsCol.find(searchCriteria()).toArray((err, allocations) => { NodeGoat/app/data/allocations-dao.js Line 60 in 83624e1 const searchCriteria = () => { NodeGoat/app/data/allocations-dao.js Line 78 in 83624e1 $where: `this.userId == ${parsedUserId} && this.stocks > '${threshold}'` NodeGoat/app/data/allocations-dao.js Line 86 in 83624e1 allocationsCol.find(searchCriteria()).toArray((err, allocations) => { NodeGoat/app/routes/index.js Line 65 in 83624e1 app.get("/allocations/:userId", isLoggedIn, allocationsHandler.displayAllocations); NodeGoat/app/routes/allocations.js Line 11 in 83624e1 this.displayAllocations = (req, res, next) => { NodeGoat/app/routes/allocations.js Line 20 in 83624e1 threshold NodeGoat/app/routes/allocations.js Line 23 in 83624e1 allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => { NodeGoat/app/data/allocations-dao.js Line 57 in 83624e1 this.getByUserIdAndThreshold = (userId, threshold, callback) => { NodeGoat/app/data/allocations-dao.js Line 86 in 83624e1 allocationsCol.find(searchCriteria()).toArray((err, allocations) => { NodeGoat/app/data/allocations-dao.js Line 60 in 83624e1 const searchCriteria = () => { NodeGoat/app/data/allocations-dao.js Line 78 in 83624e1 $where: `this.userId == ${parsedUserId} && this.stocks > '${threshold}'` NodeGoat/app/data/allocations-dao.js Line 86 in 83624e1 allocationsCol.find(searchCriteria()).toArray((err, allocations) => { Secure Code Warrior Training Material 🎓 Training Secure Code Warrior NoSQL Injection Training 📺 Videos Secure Code Warrior NoSQL Injection Video

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Code Injection	CWE-94	JavaScript / TypeScript*	5
High	NoSQL Injection	CWE-943	JavaScript / TypeScript*	4
High	Path/Directory Traversal	CWE-22	JavaScript / TypeScript*	1
High	Server Side Request Forgery	CWE-918	JavaScript / TypeScript*	1
Low	Log Forging	CWE-117	JavaScript / TypeScript*	2
Low	Unvalidated/Open Redirect	CWE-601	JavaScript / TypeScript*	1
Low	Sensitive Cookie Without Secure	CWE-614	JavaScript / TypeScript*	1
Low	Regex Denial of Service (ReDoS)	CWE-1333	JavaScript / TypeScript*	1