https://github.com/SidraChain/blockscout-frontend ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 14 |
MINED058 React Dangerously Set Html |
info | 4 |
SEC136 AI-typical over-broad exception handler swallowing all erro… |
medium | 4 |
MINED043 Http Not Https |
info | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
JRN001
Token handoff appears to use a callback URL or fragment
ui/searchResults/SearchResultListItem.tsx:50
· conf 0.88
Token handoff appears to use a callback URL or fragmentJRN001
Token handoff appears to use a callback URL or fragment
ui/searchResults/SearchResultTableItem.tsx:50
· conf 0.88
Token handoff appears to use a callback URL or fragmentJRN001
Token handoff appears to use a callback URL or fragment
ui/shared/entities/pool/PoolEntity.tsx:6
· conf 0.88
Token handoff appears to use a callback URL or fragmentMINED004
Weak Crypto
CWE-327
ui/shared/entities/address/NounsIdenticon.tsx:24
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:4
· conf 0.90
[MINED118] Dockerfile FROM `node:22.14.0-alpine` not pinned by digest: `FROM node:22.14.0-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:70
· conf 0.90
[MINED118] Dockerfile FROM `node:22.14.0-alpine` not pinned by digest: `FROM node:22.14.0-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:147
· conf 0.90
[MINED118] Dockerfile FROM `node:22.14.0-alpine` not pinned by digest: `FROM node:22.14.0-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED122
package.json dep pulled from git URL or tarball
CWE-829
package.json:1
· conf 0.90
[MINED122] package.json dep `gradient-avatar` pulled from URL/Git: `dependencies.gradient-avatar` = `git+https://github.com/blockscout/gradient-avatar.git` bypasses the npm registry. No integrity has…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
configs/app/apis.ts:116
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
configs/app/features/addressProfileAPI.ts:12
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
configs/app/utils.ts:55
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
deploy/tools/affected-tests/index.js:173
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
deploy/tools/sitemap-generator/next-sitemap.config.js:209
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
nextjs/utils/fetchProxy.ts:17
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
deploy/tools/affected-tests/index.js:52
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
nextjs/middlewares/appProfile.ts:18
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
ui/marketplace/essentialDapps/revoke/hooks/useGetBlockTimestamp.tsx:44
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
ui/marketplace/utils.ts:56
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT007
localStorage write failures are swallowed silently
lib/growthbook/init.ts:68
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
lib/hooks/useRewardsActivity.tsx:98
· conf 0.80
localStorage write failures are swallowed silentlyAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:87
· conf 0.76
Dockerfile copies broad context with incomplete .dockerignoreERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
deploy/tools/affected-tests/index.js:130
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
deploy/tools/envs-validator/utils.ts:17
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
instrumentation.node.ts:53
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
ui/shared/ad/SpecifyBanner.tsx:61
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
ui/sol2uml/Sol2UmlDiagram.tsx:62
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
ui/home/Highlights.pw.tsx:22
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
ui/pages/Marketplace.pw.tsx:18
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
ui/publicTags/submit/mocks.ts:10
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
configs/app/utils.ts:24
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
deploy/tools/multichain-config-generator/index.ts:98
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
ui/address/contract/methods/form/useValidateField.tsx:45
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
configs/app/features/easterEggPuzzleBadge.ts:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
configs/multichain/config.edge.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
configs/multichain/config.nodejs.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/envs-validator/schema_multichain.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/essential-dapps-chains-config-generator/vite.config.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/llms-txt-generator/vite.config.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/llms-txt-generator/vite.config.ts:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/multichain-config-generator/index.ts:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/multichain-config-generator/vite.config.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/multichain-config-generator/vite.config.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deploy/tools/multichain-config-generator/worker.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
lib/xStarScore/useFetchXStarScore.ts:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pages/batches/celestia/[height]/[commitment].tsx:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
svgo.config.js:1
· conf 0.86
Duplicated implementation block across source filesDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsSEC006
XSS Risk
ui/shared/ad/AdbutlerBanner.tsx:44
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
ui/shared/ad/adbutlerScript.ts:21
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
ui/sol2uml/Sol2UmlDiagram.tsx:63
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC132
String concat where the language has interpolation (AI style drift)
ui/csvExport/CsvExportForm.tsx:86
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
[ERR002] Empty Catch Block (and 18 more): Same pattern found in 18 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
configs/essential-dapps-chains/config.edge.ts:20
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
configs/multichain/config.edge.ts:20
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
instrumentation.node.ts:44
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
deploy/scripts/og_image_generator.js:5
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
deploy/tools/affected-tests/index.js:51
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
deploy/tools/envs-validator/index.ts:19
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 26 more): Same pattern found in 26 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
nextjs/getServerSideProps/guards.ts:224
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
pages/api/tokens/[hash]/instances/[id]/media-type.ts:19
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
toolkit/components/charts/ChartWidget.tsx:79
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
ui/apiDocs/types.ts:3
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED053
Placeholder Default Username
CWE-1392CWE-798
ui/snippets/auth/AuthModal.pw.tsx:21
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED054
Ts As Any
CWE-704
toolkit/components/charts/parts/ChartMenu.tsx:121
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
ui/pages/Chart.tsx:245
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
tools/scripts/pw.docker.deps.sh:16
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED058
React Dangerously Set Html
CWE-79
[MINED058] React Dangerously Set Html (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED058
React Dangerously Set Html
CWE-79
ui/address/details/AddressAlerts.tsx:46
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
ui/address/details/AddressQrCode.tsx:93
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
ui/searchResults/SearchResultEntityTag.tsx:25
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.SEC020
Secret Printed to Logs
deploy/tools/essential-dapps-chains-config-generator/index.ts:102
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
deploy/tools/multichain-config-generator/index.ts:110
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 43 more): Same pattern found in 43 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
nextjs/getServerSideProps/handlers.ts:44
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC136
AI-typical over-broad exception handler swallowing all errors
[SEC136] AI-typical over-broad exception handler swallowing all errors (and 3 more): Same pattern found in 3 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5c98c2b6-e488-48a6-85ac-aff9fdee8e5f/.