Q
Detector Library
TypeScript detectors (104/104)
Integer overflowAWS insecure transmission CDKInsecure cookieAWS credentials loggedSQL injectionInsecure connection using unencrypted protocolNew function detectedBatch request with unchecked failuresUnvalidated expansion of archive filesMissing paginationXPath injectionLogging of sensitive informationOverride of reserved variable names in a Lambda functionInsecure CORS policyImproper input validationHardcoded credentialsInvoke super appropriatelyNumeric truncation errorAvoid nan in comparisonMissing check on method outputInsufficiently protected credentialsImproper restriction of rendered UI layers or framesPseudorandom number generatorsAWS missing encryption CDKCatch and swallow exceptionHeader injectionUse {} instead of new Object()Hardcoded IP addressUntrusted Amazon Machine ImagesWeak obfuscation of web requestsFile Race BadImproper certificate validationSendfile injectionCryptographic key generatorimproper input validation cdkXML external entityTiming attackMissing Amazon S3 bucket owner conditionInsecure hashingSession fixationUse of Default Credentials CDKFile injectionImproper Restriction of Operations within the Bounds of a Memory BufferLimit request lengthLog injectionType confusionServer side request forgeryaws kmskey encryption cdkInefficient polling of AWS resourceAvoid Undefined As Variable NameIndex of method comparisonString passed to `setInterval` or `setTimeout`Data loss in a batch requestTainted input for Docker APIInsecure temporary file or directoryCheck failed records when using kinesisAWS api logging disabled cdkImproper Access Control CDKLeast privilege violationFile extension validationResource leakSet SNS Return Subscription ARNInsecure object attribute modificationMissing Authentication for Critical Function CDKTypeof expressionAWS missing encryption of sensitive data cdkUnauthenticated Amazon SNS unsubscribe requests might succeedCross-site request forgeryClient-side KMS reencryptionInsecure cryptographyDeserialization of untrusted objectClear text credentialsImproper handling of case sensitivityUnsanitized input is run as codeProtection mechanism failureUse of a deprecated methodSensitive information leakDNS prefetchingExposure of Sensitive Information CDKInsecure JWT parsingLoose file permissionsMissing Authorization CDKSensitive query stringInsufficient Logging CDKOS command injectionNoSQL injectionUnverified hostnamePath traversalOrigins-verified cross-origin communicationsLDAP injectionSNS don't bind subscribe and publishS3 partial encrypt CDKNon-literal regular expressionStack trace exposureFile and directory information exposureUsage of an API that is not recommendedLazy Load ModuleDisabled HTML autoescapeImproper access controlCross-site scriptingSensitive data stored unencrypted due to partial encryptionAWS client not reused in a Lambda functionURL redirection to untrusted siteUntrusted data in security decision
Timing attack High
Operators like == and === are not time-safe and can make your application vulnerable to a timing attack, which might enable attackers to infer security-sensitive information.
Detector ID
typescript/timing-attack@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
Noncompliant example
1import express, {Request, Response} from 'express'
2var app = express()
3const password = "myPass";
4function timingAttackNoncompliant() {
5 app.get("/user/login", function (req: Request, res: Response) {
6 // Noncompliant: '===' operator is used with sensitive data field.
7 if (password === "myPass") {
8 // logIn()
9 }
10 });
11}
Compliant example
1import express, {Request, Response} from 'express'
2var app = express()
3var compare = require("secure-compare");
4function timingAttackCompliant() {
5 app.get("/user/login", function (req: Request, res: Response) {
6 // Compliant: sensitive data field is compared using 'secure-compare'.
7 if (compare(password, "myPass")) {
8 //
9 }
10 });
11}