bigbodycobain/shadowbroker

[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.

[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.

[SEC001] Hardcoded Password: Hardcoded password found in source code.

[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).

LLM memory extraction can be prompt-injected into storing fake facts

[COMP001] High cognitive complexity: Function `_refresh_node_peer_store` has cognitive complexity 33 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to underst…

Dockerfile pipes a remote script into a shell

Secret-like setting is echoed into a password input value

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.

[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.

[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.

[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.

[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.

[MINED036] Python Os System Call: os.system() invokes shell with no escaping.

[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).

[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…

[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…

[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

Agent control bridge may listen on a network interface without visible auth

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

[AUC002] Low visible authorization coverage in route inventory: Only 28.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[COMP001] High cognitive complexity: Function `_cctv_proxy_profile_for_url` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to unde…

Compose service `backend` image uses the latest tag

Compose service `frontend` image uses the latest tag

Dockerfile ADD downloads remote content

Dockerfile copies broad context with incomplete .dockerignore

[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.

[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.

[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.

[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.

[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.

[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.

[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…

[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…

[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…

[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…

[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…

[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

[COMP001] High cognitive complexity: Function `api_set_meshtastic_mqtt_settings` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to…

Compose service does not declare a runtime user

Compose service does not declare a runtime user

Compose service lacks no-new-privileges hardening

Compose service lacks no-new-privileges hardening

.dockerignore misses sensitive defaults

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.

[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.

[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.

[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.

[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.

[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.

[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.

[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.

[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.

[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.

[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.

[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.

[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.

[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.

[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.

[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.

[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.

[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.

[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.