https://github.com/pascalorg/editor.git ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 7 |
JRN003 Frontend API reference is not matched by discovered backend… |
medium | 6 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 5 |
MINED056 React Key As Index |
info | 4 |
MINED054 Ts As Any |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
JRN004
Consent is collected in UI without visible backend audit persistence
packages/viewer/src/components/viewer/scene-bvh.tsx:88
· conf 0.78
Consent is collected in UI without visible backend audit persistenceMINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/mcp-ci.yml:30
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/mcp-ci.yml:31
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:39
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:42
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:44
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/editor/app/api/scenes/[id]/events/route.ts:38
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/editor/app/api/scenes/route.ts:30
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/core/src/schema/asset-url.ts:35
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/editor/src/components/editor-2d/renderers/floorplan-geometry-renderer.tsx:157
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/editor/src/components/editor-2d/svg-paths.ts:103
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/mcp/src/resources/scene-summary.ts:159
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
packages/mcp/src/prompts/renovation-from-photos.ts:42
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/mcp/src/storage/sqlite-driver.ts:15
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/core/src/hooks/scene-registry/scene-registry.ts:73
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/core/src/hooks/spatial-grid/spatial-grid.ts:105
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/core/src/hooks/spatial-grid/wall-spatial-grid.ts:165
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT007
localStorage write failures are swallowed silently
packages/editor/src/components/editor/index.tsx:395
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
packages/editor/src/lib/scene.ts:134
· conf 0.80
localStorage write failures are swallowed silentlyAGT012
Agent control bridge may listen on a network interface without visible auth
packages/mcp/src/lib/safe-fetch.ts:10
· conf 0.72
Agent control bridge may listen on a network interface without visible authAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/[id]/events/route.ts:22
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/[id]/route.ts:32
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/[id]/route.ts:51
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/[id]/route.ts:104
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/[id]/route.ts:123
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/route.ts:26
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/editor/app/api/scenes/route.ts:51
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/editor/src/hooks/use-auto-save.ts:156
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN003
Frontend API reference is not matched by discovered backend routes
apps/editor/components/save-button.tsx:31
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/editor/components/save-button.tsx:83
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/editor/components/save-button.tsx:118
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/editor/components/scene-loader.tsx:116
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/editor/components/scene-loader.tsx:146
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/editor/components/scene-loader.tsx:179
· conf 0.74
Frontend API reference is not matched by discovered backend routesSEC045
eval()/exec() on stored or user-supplied data
packages/mcp/src/prompts/renovation-from-photos.ts:42
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/mcp/src/storage/sqlite-driver.ts:15
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
apps/editor/app/api/scenes/route.ts:85
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/editor/app/scenes/page.tsx:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/editor/app/terms/page.tsx:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/editor/components/scene-loader.tsx:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/systems/stair/stair-opening-sync.ts:34
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/systems/stair/stair-opening-system.tsx:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/editor/floating-action-menu.tsx:365
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/editor/wall-move-side-handles.tsx:343
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/systems/ceiling/ceiling-selection-affordance-system.tsx:78
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/tools/elevator/move-elevator-tool.tsx:189
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/tools/shared/polygon-editor.tsx:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/tools/shared/segment-angle.ts:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/tools/stair/stair-tool.tsx:143
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/tools/wall/wall-drafting.ts:71
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/controls/slider-control.tsx:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/primitives/sidebar.tsx:180
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/items-panel/index.tsx:100
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/ceiling-tree-node.tsx:101
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/chimney-tree-node.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/column-tree-node.tsx:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/column-tree-node.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/door-tree-node.tsx:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/door-tree-node.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/dormer-tree-node.tsx:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/dormer-tree-node.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/elevator-tree-node.tsx:57
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/fence-tree-node.tsx:52
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/gutter-tree-node.tsx:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/gutter-tree-node.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/editor/src/components/ui/sidebar/panels/site-panel/item-tree-node.tsx:36
· conf 0.86
Duplicated implementation block across source filesAIC009
Multiple AI-agent scaffold marker files are present
.github/copilot-instructions.md:1
· conf 0.68
Multiple AI-agent scaffold marker files are presentMINED043
Http Not Https
CWE-319
packages/mcp/src/prompts/renovation-from-photos.ts:23
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/mcp/src/transports/http.ts:198
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
apps/ifc-converter/scripts/copy-web-ifc-wasm.mjs:29
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/core/src/registry/registry.ts:66
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/editor/src/components/editor/export-manager.tsx:20
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 86 more): Same pattern found in 86 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
apps/editor/app/api/scenes/[id]/route.ts:176
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/core/src/hooks/scene-registry/scene-registry.ts:69
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/core/src/hooks/spatial-grid/spatial-grid-sync.ts:115
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
packages/editor/src/components/tools/item/placement-math.ts:117
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/editor/src/components/ui/sidebar/panels/site-panel/tree-node.tsx:10
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/nodes/src/scan/renderer.tsx:53
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 15 more): Same pattern found in 15 additional files. Review if needed.MINED054
Ts As Any
CWE-704
packages/core/src/registry/__bench__/relations-resolver.bench.ts:27
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/core/src/utils/clone-scene-graph.ts:63
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/editor/src/components/editor/first-person/build-collider-world.ts:309
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED056
React Key As Index
CWE-682
packages/editor/src/components/editor-2d/floorplan-action-menu-layer.tsx:79
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/editor/src/components/editor-2d/floorplan-alignment-guide-layer.tsx:65
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/editor/src/components/tools/zone/zone-tool.tsx:371
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED065
Cors Wildcard
CWE-942CWE-346
packages/mcp/src/transports/http.ts:137
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/b7e4675c-21fa-456f-b3cf-29ebcf0dc441/.