https://github.com/langbot-app/LangBot.git ·
lang: python ·
source: corpus_mined
| Rule | Severity | Count |
|---|---|---|
SEC015 Insecure Randomness for Security |
medium | 3 |
SEC020 Secret Printed to Logs |
high | 2 |
SEC017 Unbounded Input to LLM/External API |
medium | 2 |
SEC007 Unsafe Deserialization |
medium | 2 |
SEC014 SSL Verification Disabled |
medium | 1 |
SEC012 ZipSlip — Archive Path Traversal |
medium | 1 |
SEC002 Hardcoded API Key |
critical | 1 |
SEC006 XSS Risk |
high | 1 |
SEC002
Hardcoded API Key
src/langbot/pkg/api/http/controller/group.py:38
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC012
ZipSlip — Archive Path Traversal
src/langbot/pkg/utils/version.py:97
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC014
SSL Verification Disabled
src/langbot/pkg/utils/image.py:158
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC017
Unbounded Input to LLM/External API
src/langbot/pkg/provider/modelmgr/requesters/chatcmpl.py:225
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC017
Unbounded Input to LLM/External API
src/langbot/pkg/provider/modelmgr/requesters/modelscopechatcmpl.py:218
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC006
XSS Risk
src/langbot/templates/embed/widget.js:735
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC007
Unsafe Deserialization
src/langbot/pkg/config/impls/yaml.py:50
· conf 0.10
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC007
Unsafe Deserialization
src/langbot/pkg/core/stages/load_config.py:218
· conf 0.10
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC015
Insecure Randomness for Security
src/langbot/pkg/pipeline/resprule/rules/random.py:21
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
web/src/app/wizard/page.tsx:1177
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
web/src/components/ui/sidebar.tsx:617
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC020
Secret Printed to Logs
src/langbot/pkg/platform/sources/openclaw_weixin.py:421
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/langbot/pkg/platform/sources/wechatpad.py:693
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/29212434-d867-460e-a547-04474f0a3df7/.