← Legacy view v2 (rp.*)

maruturisaisasidhar/text-tools

https://github.com/maruturisaisasidhar/TEXT-TOOLS.git · lang: javascript · LOC: · source: user_submitted

Quality
52.1
Grade C-
Security
100.0
Findings
26
0 critical · 11 high
Status
completed
May 22, 2026 12:48
high: 11 info: 8 medium: 4 low: 3
Top rules by occurrence
RuleSeverityCount
MINED113 Express POST/PUT/DELETE/PATCH route without auth high 6
MINED044 Js Console Log Prod info 4
SEC135 Auth/permission check missing on AI-generated endpoint high 2
SEC020 Secret Printed to Logs high 2
MINED056 React Key As Index info 2
CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of co… medium 1
CORE_NO_TESTS No test files found high 1
SEC006 XSS Risk high 1
CORE_NO_CI No CI/CD configuration found medium 1
SEC040 innerHTML XSS — template literal with server-supplied data high 1
First 26 findings (severity-sorted)
high CORE_NO_TESTS No test files found 
No test files found
high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862
backend/chrome-proxy/server.js:27 · conf 0.80 
[MINED113] Express POST /auth has no auth: Express route POST /auth declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…
high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862
backend/chrome-proxy/server.js:57 · conf 0.80 
[MINED113] Express POST /api/process-text has no auth: Express route POST /api/process-text declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on un…
high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862
backend/server.js:28 · conf 0.80 
[MINED113] Express POST /generate-token has no auth: Express route POST /generate-token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauth…
high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862
backend/server.js:40 · conf 0.80 
[MINED113] Express POST /update-history has no auth: Express route POST /update-history declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauth…
high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862
backend/server.js:71 · conf 0.80 
[MINED113] Express POST /get-history has no auth: Express route POST /get-history declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthentica…
high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862
backend/server.js:88 · conf 0.80 
[MINED113] Express POST /api/gemini has no auth: Express route POST /api/gemini declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticate…
high SEC040 innerHTML XSS — template literal with server-supplied data
frontend/chrome-extension/content.js:18 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC100 CORS permissive Access-Control-Allow-Origin: *
backend/chrome-proxy/server.js:18 · conf 1.00 
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…
high SEC135 Auth/permission check missing on AI-generated endpoint
backend/chrome-proxy/server.js:27 · conf 1.00 
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…
high SEC135 Auth/permission check missing on AI-generated endpoint
backend/server.js:28 · conf 1.00 
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…
medium CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
· conf 1.00 
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
medium CORE_NO_CI No CI/CD configuration found 
No CI/CD configuration found
medium SEC046 Client-side open redirect — window.location = server-supplied URL
frontend/src/App.tsx:29 · conf 1.00 
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…
medium SEC087 JS: weak Math.random for crypto
backend/server.js:25 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
low AIC003 Duplicated implementation block across source files
frontend/chrome-extension/content.js:1 · conf 0.86 
Duplicated implementation block across source files
low CORE_NO_LICENSE No LICENSE file 
No LICENSE file
low SEC006 XSS Risk
frontend/chrome-extension/content.js:18 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
backend/chrome-proxy/server.js:115 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
backend/server.js:16 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
frontend/chrome-extension/background.js:23 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED056 React Key As Index CWE-682
frontend/src/App.tsx:205 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
frontend/src/components/Dictionary.tsx:69 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info SEC020 Secret Printed to Logs
backend/server.js:34 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC020 Secret Printed to Logs
frontend/src/App.tsx:40 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/d989086a-79cf-4b87-b2b1-b98172f7be9b/.