https://github.com/drupal/drupal ·
lang: php ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC002 Source file name looks like an AI patch artifact |
low | 18 |
AIC004 Suspicious implementation file appears unreferenced |
medium | 17 |
AIC003 Duplicated implementation block across source files |
low | 5 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED048 Php Error Suppress |
info | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
MINED043 Http Not Https |
info | 4 |
SEC041 Tabnabbing — target="_blank" without rel="noopener noreferr… |
medium | 3 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 3 |
SEC136 AI-typical over-broad exception handler swallowing all erro… |
medium | 3 |
MINED019
Ssti Jinja From String
CWE-94
core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/ui/imagealternativetextformview.js:134
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.MINED019
Ssti Jinja From String
CWE-94
core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/mediaimagetextalternative/ui/textalternativeformview.js:90
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
core/misc/htmx/htmx-assets.js:45
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
core/misc/timezone.js:70
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
core/modules/announcements_feed/src/AnnounceFetcher.php:95
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
core/misc/active-link.js:43
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
core/misc/message.js:263
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
core/misc/progress.js:85
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
core/misc/machine-name.js:45
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
core/misc/tableresponsive.js:175
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
core/misc/htmx/htmx-assets.js:78
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/drupalimagealternativetextediting.js:74
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/drupalimagealternativetextui.js:127
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AIC004
Suspicious implementation file appears unreferenced
core/modules/block/block.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/block_content/block_content.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/ckeditor5/ckeditor5.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/ckeditor5/js/ckeditor5.dialog.fix.js:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/content_moderation/content_moderation.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/field/field.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/help/help.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/layout_builder/layout_builder.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/locale/locale.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/media_library/media_library.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/media/media.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/node/node.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/system/system.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/taxonomy/taxonomy.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/update/update.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/views/views.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedAIC004
Suspicious implementation file appears unreferenced
core/modules/workspaces/workspaces.post_update.php:1
· conf 0.78
Suspicious implementation file appears unreferencedCFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
core/modules/datetime/src/Plugin/Field/FieldFormatter/DateTimeCustomFormatter.php:72
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
core/modules/file/js/file.js:292
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
core/modules/system/src/Controller/SystemInfoController.php:87
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
composer/Composer.php:86
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
core/misc/tableresponsive.js:175
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
core/modules/sqlite/src/Driver/Database/sqlite/SqliteConnection.php:38
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC136
AI-typical over-broad exception handler swallowing all errors
core/modules/layout_builder/src/SectionStorage/SectionStorageManager.php:78
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
core/modules/navigation/src/Menu/NavigationMenuLinkTreeManipulators.php:110
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
core/modules/system/src/PathBasedBreadcrumbBuilder.php:147
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC002
Source file name looks like an AI patch artifact
core/modules/block/block.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/block_content/block_content.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/ckeditor5/ckeditor5.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/ckeditor5/js/ckeditor5.dialog.fix.js:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/content_moderation/content_moderation.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/field/field.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/help/help.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/layout_builder/layout_builder.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/locale/locale.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/media_library/media_library.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/media/media.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/node/node.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/system/system.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/taxonomy/taxonomy.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/update/update.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/views/views.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/modules/workspaces/workspaces.post_update.php:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
core/scripts/js/vendor-update.js:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
composer/Generator/Builder/DrupalPinnedDevDependenciesBuilder.php:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
core/assets/scaffold/files/ht.router.php:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
core/lib/Drupal/Component/FileSecurity/FileSecurity.php:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
core/lib/Drupal/Component/PhpStorage/FileStorage.php:76
· conf 0.86
Duplicated implementation block across source filesCORE_NO_LICENSE
No LICENSE file
No LICENSE fileSEC006
XSS Risk
core/misc/announce.js:77
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
core/misc/message.js:61
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
core/modules/ckeditor5/js/ckeditor5_plugins/drupalEntityLinkSuggestions/src/index.js:172
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.WEB005
robots.txt does not advertise a sitemap
robots.txt
· conf 0.74
robots.txt does not advertise a sitemapMINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED043
Http Not Https
CWE-319
core/install.php:42
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
core/modules/basic_auth/src/Hook/BasicAuthHooks.php:26
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
core/modules/breakpoint/src/Hook/BreakpointHooks.php:33
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/drupalelementstyle/drupalelementstyleediting.js:256
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/drupalmediageneralhtmlsupport.js:198
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/mediaimagetextalternative/mediaimagetextalternativeui.js:215
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED048
Php Error Suppress
CWE-755
[MINED048] Php Error Suppress (and 46 more): Same pattern found in 46 additional files. Review if needed.MINED048
Php Error Suppress
CWE-755
composer/Plugin/VendorHardening/FileSecurity.php:126
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
core/modules/big_pipe/src/Render/BigPipeResponseAttachmentsProcessor.php:44
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
.gitlab-ci/scripts/component-coverage-metrics.php:27
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED098
Global Scope Pollution
core/modules/big_pipe/js/big_pipe.commands.js:94
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ab12e53b-f3c5-4aa8-b379-78d9cade414d/.