https://github.com/calcom/cal.diy.git ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 8 |
SEC036 HTTP Header Injection / CRLF Injection |
high | 3 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
DKR001 Docker final stage has no non-root USER |
medium | 2 |
DKR017 Dockerfile installs dependencies after copying the full sou… |
medium | 1 |
DKR004 Docker build secret exposed through ARG |
medium | 1 |
DKR014 Dockerfile copies the entire context without .dockerignore |
high | 1 |
DKR007 Docker build context has no .dockerignore |
medium | 1 |
AUC001 [AUC001] No Repobility access matrix policy found: The repo… |
medium | 1 |
CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of co… |
medium | 1 |
DKR004
Docker build secret exposed through ARG
Dockerfile:11
· conf 0.86
Docker build secret exposed through ARGDKR014
Dockerfile copies the entire context without .dockerignore
apps/api/v2/Dockerfile:17
· conf 0.92
Dockerfile copies the entire context without .dockerignoreSEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/api/v2/src/modules/auth/oauth2/controllers/oauth2.controller.e2e-spec.ts:105
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/api/v2/src/modules/auth/oauth2/services/oauth2-error.service.ts:36
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
.snaplet/transform.ts:208
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC036
HTTP Header Injection / CRLF Injection
apps/api/v2/src/filters/calendar-service-exception.filter.ts:41
· conf 1.00
[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. R…SEC036
HTTP Header Injection / CRLF Injection
apps/api/v2/src/filters/http-exception.filter.ts:19
· conf 1.00
[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. R…SEC036
HTTP Header Injection / CRLF Injection
apps/api/v2/src/filters/prisma-exception.filter.ts:39
· conf 1.00
[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. R…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.DKR001
Docker final stage has no non-root USER
apps/api/v2/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
Dockerfile:77
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreDKR017
Dockerfile installs dependencies after copying the full source tree
apps/api/v2/Dockerfile:19
· conf 0.90
Dockerfile installs dependencies after copying the full source treeAIC003
Duplicated implementation block across source files
apps/api/v2/src/filters/trpc-exception.filter.ts:111
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/auth/decorators/get-user/get-user.decorator.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/cal-unified-calendars/outputs/get-unified-calendar-event.output.ts:232
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/kysely/kysely-write.service.ts:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/oauth-clients/controllers/oauth-client-webhooks/oauth-client-webhooks.controller.e2e-spec.ts:168
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/prisma/prisma.module.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/prisma/prisma-write.service.ts:49
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/api/v2/src/modules/selected-calendars/controllers/selected-calendars.controller.e2e-spec.ts:24
· conf 0.86
Duplicated implementation block across source filesReading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/0d909f74-06e7-42e7-96df-356316f04628/.