← Legacy view v2 (rp.*)

jeplaguitlla24/divieto-mundial-2026

https://github.com/jeplaguitlla24/divieto-mundial-2026.git · lang: javascript · LOC: · source: user_submitted

Quality
52.4
Grade C-
Security
100.0
Findings
33
2 critical · 3 high
Status
completed
May 26, 2026 21:53
low: 14 info: 8 medium: 6 high: 3 critical: 2
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 6
MINED044 Js Console Log Prod info 4
SEC006 XSS Risk high 3
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 2
SEC040 innerHTML XSS — template literal with server-supplied data high 2
CORE_NO_README No README file found medium 1
CORE_NO_LICENSE No LICENSE file low 1
SEC045 eval()/exec() on stored or user-supplied data medium 1
AGT007 localStorage write failures are swallowed silently medium 1
CORE_NO_CI No CI/CD configuration found medium 1
First 33 findings (severity-sorted)
critical MINED024 Js Eval Usage CWE-95
scripts/fetch-fotos.js:40 · conf 1.00 
[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
critical SEC049 GCP API key
public/js/config.js:6 · conf 1.00 
[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT).
high SEC040 innerHTML XSS — template literal with server-supplied data
scripts/fetch-fotos.js:186 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
scripts/generate-card-explainer-image.js:76 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC083 JS: new RegExp() with non-literal
scripts/convert-to-webp.js:32 · conf 1.00 
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
medium AGT007 localStorage write failures are swallowed silently
public/app/draft/index.html:785 · conf 0.80 
localStorage write failures are swallowed silently
medium CORE_NO_CI No CI/CD configuration found 
No CI/CD configuration found
medium CORE_NO_README No README file found 
No README file found
medium SEC045 eval()/exec() on stored or user-supplied data
scripts/fetch-fotos.js:40 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC003 Duplicated implementation block across source files
public/js/cartas.js:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
public/js/selecciones-data.js:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
scripts/generate-chemistry-image.js:167 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
scripts/poller.js:47 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
scripts/scoring.js:28 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
scripts/sync-sofascore-worldcup.js:76 · conf 0.86 
Duplicated implementation block across source files
low CORE_NO_LICENSE No LICENSE file 
No LICENSE file
low SEC006 XSS Risk
public/shared/nav.js:61 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
scripts/generate-card-explainer-image.js:130 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
scripts/generate-chemistry-image.js:187 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC132 String concat where the language has interpolation (AI style drift)
scripts/bump.cjs:41 · conf 1.00 
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…
low WEB001 Public web app has no robots.txt
robots.txt · conf 0.74 
Public web app has no robots.txt
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info MINED043 Http Not Https CWE-319
public/shared/nav.js:56 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
functions/apertura.js:15 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
functions/poller.js:64 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
functions/triggers.js:18 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED049 Print Pii CWE-532
scripts/cleanup-users.js:49 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scripts/generate-card-explainer-image.js:144 · conf 0.10 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scripts/generate-chemistry-image.js:202 · conf 0.10 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/42fb2c1d-c507-40c7-b0d8-603561297e97/.