Snyk 코드 보안 규칙

Snyk Code 규칙은 지속적으로 업데이트됩니다. 목록이 계속 확장되며 규칙은 귀하의 코드에 대한 최상의 보호 및 보안 솔루션을 제공하기 위해 변경될 수 있습니다.

이 페이지는 Snyk Code가 소스 코드를 검사할 때 사용하는 모든 보안 규칙을 나열합니다.

각 규칙에는 다음 정보가 포함됩니다.

  • 규칙 이름: 규칙의 Snyk 이름.

  • 언어: 해당 특정 규칙이 적용되는 프로그래밍 언어. 동일한 이름의 두 규칙이 서로 다른 언어에 적용될 수 있음에 유의하십시오.

  • CWE(s): 이 규칙이 다루는 CWE 번호.

  • 보안 범주: 규칙이 속한 OWASP Top 10 (2021 판) 범주 및 SANS 25에 포함된 경우.

규칙 이름
언어
CWE(s)
보안 범주

ASP SSL Disabled

XML

CWE-319

OWASP:A02

Access Violation

Apex

CWE-284, CWE-285

OWASP:A01

Allocation of Resources Without Limits or Throttling

JavaScript, PHP

CWE-770

An optimizing compiler may remove memset non-zero leaving data in memory

C++

CWE-1330

Android Debug Mode Enabled

XML

CWE-489

Android Fragment Injection

Java, Kotlin

CWE-470

OWASP:A03

Android Intent Forwarding

Java, Kotlin

CWE-940

OWASP:A07

Android Uri Permission Manipulation

Java, Kotlin

CWE-266

OWASP:A04

Android World Writeable/Readable File Permission Found

Java, Kotlin, Scala

CWE-732

Anti-forgery token validation disabled

C#

CWE-352

SANS Top 25, OWASP:A01

Arbitrary File Write via Archive Extraction (Tar Slip)

Python

CWE-22

SANS Top 25, OWASP:A01

Arbitrary File Write via Archive Extraction (Zip Slip)

C#, JavaScript, PHP

CWE-22

SANS Top 25, OWASP:A01

Authentication Bypass by Spoofing

C++

CWE-290

OWASP:A07

Authentication over HTTP

Python

CWE-319

OWASP:A02

Binding to all network interfaces may open service to unintended traffic

Python

CWE-284

OWASP:A01

Broken User Authentication

Python

CWE-287

SANS Top 25, OWASP:A07

Buffer Over-read

JavaScript

CWE-126

Buffer Overflow

C++

CWE-122

Clear Text Logging

Go, Swift

CWE-200, CWE-312

OWASP:A01, OWASP:A04

Clear Text Sensitive Storage

Apex, JavaScript

CWE-200, CWE-312

OWASP:A01, OWASP:A04

Cleartext Storage of Sensitive Information in a Cookie

C#, Java, Kotlin, Scala

CWE-315

OWASP:A05

Cleartext Transmission of Sensitive Information

Java, JavaScript, Kotlin, Scala

CWE-319

OWASP:A02

Code Execution via Third Party Package Context

Java, Kotlin

CWE-94

SANS Top 25, OWASP:A03

Code Execution via Third Party Package Installation

Java, Kotlin

CWE-940

OWASP:A07

Code Injection

C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

CWE-94

SANS Top 25, OWASP:A03

Command Injection

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-78

SANS Top 25, OWASP:A03

Cross-Site Request Forgery (CSRF)

Java, JavaScript, Kotlin, Python, Scala

CWE-352

SANS Top 25, OWASP:A01

Cross-site Scripting (XSS)

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-79

SANS Top 25, OWASP:A03

Cryptographic Issues

Java, JavaScript, Kotlin, Python, Scala

CWE-310

OWASP:A02

Debug Features Enabled

C#, Visual Basic, XML

CWE-215

Debug Mode Enabled

Python

CWE-489

Denial of Service (DoS) through Nested GraphQL Queries

JavaScript

CWE-400

Dereference of a NULL Pointer

C++

CWE-476

SANS Top 25

Deserialization of Untrusted Data

C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic

CWE-502

SANS Top 25, OWASP:A08

Device Authentication Bypass

Swift

CWE-287

SANS Top 25, OWASP:A07

Disabled Neutralization of CRLF Sequences in HTTP Headers

Java, Kotlin, Scala

CWE-113

OWASP:A03

Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)

JavaScript

CWE-79

SANS Top 25, OWASP:A03

Division By Zero

C++

CWE-369

Double Free

C++

CWE-415

Electron Disable Security Warnings

JavaScript

CWE-16

OWASP:A05

Electron Insecure Web Preferences

JavaScript

CWE-16

OWASP:A05

Electron Load Insecure Content

JavaScript

CWE-16

OWASP:A05

Exposure of Private Personal Information to an Unauthorized Actor

C#, C++

CWE-359

OWASP:A01

External Control of System or Configuration Setting

Java, Kotlin, Scala

CWE-15

OWASP:A05

File Access Enabled

Java, Kotlin

CWE-200

OWASP:A01

File Inclusion

PHP

CWE-98

OWASP:A03

Generation of Error Message Containing Sensitive Information

Go, XML

CWE-209

OWASP:A04

GraphQL Injection

JavaScript

CWE-89

SANS Top 25, OWASP:A03

Hardcoded Secret

Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-547

OWASP:A05

Improper Access Control: Email Content Injection

Apex, Go, PHP

CWE-284

OWASP:A01

Improper Authentication

Java, Kotlin, Scala

CWE-287

SANS Top 25, OWASP:A07

Improper Certificate Validation

Go, Java, Kotlin, Python, Ruby, Scala, Swift

CWE-295

OWASP:A07

Improper Code Sanitization

JavaScript

CWE-116, CWE-79, CWE-94

SANS Top 25, OWASP:A03

Improper Handling of Insufficient Permissions or Privileges

Java, Kotlin, Python

CWE-280

OWASP:A04

Improper Input Validation

Ruby

CWE-20

SANS Top 25, OWASP:A03

Improper Neutralization of CRLF Sequences in HTTP Headers

C#, Java, Kotlin, Scala, Visual Basic

CWE-113

OWASP:A03

Improper Neutralization of Directives in Statically Saved Code

Go, JavaScript, Python, Ruby

CWE-96

OWASP:A03

Improper Null Termination

C++

CWE-170

Improper Restriction of Rendered UI Layers or Frames

JavaScript, PHP, XML

CWE-1021

OWASP:A04

Improper Type Validation

JavaScript

CWE-1287

Improper Validation of Certificate with Host Mismatch

Java, Kotlin, Scala

CWE-297

OWASP:A07

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Ruby

CWE-915

OWASP:A08

Inadequate Encryption Strength

C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic

CWE-326

OWASP:A02

Inadequate Padding for AES encryption

Java, Kotlin, Scala

CWE-326

OWASP:A02

Inadequate Padding for Public Key Encryption

PHP, Rust

CWE-326

OWASP:A02

Incorrect Permission Assignment

Java, Kotlin

CWE-732

Incorrect regular expression for validating values

Ruby

CWE-1286

Indirect Command Injection via User Controlled Environment

Java, Kotlin, Scala

CWE-78

SANS Top 25, OWASP:A03

Information Exposure

C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift

CWE-200

OWASP:A01

Insecure Anonymous LDAP Binding

C++

CWE-287

SANS Top 25, OWASP:A07

Insecure Data Storage

Swift

CWE-922

OWASP:A01

Insecure Data Transmission

Apex, C#, Ruby

CWE-319

OWASP:A02

Insecure Deserialization

Swift

CWE-502

SANS Top 25, OWASP:A08

Insecure File Permissions

Python, Rust

CWE-732

Insecure JWT Verification Method

JavaScript

CWE-347

OWASP:A02

Insecure TLS Configuration

Go, JavaScript

CWE-327

OWASP:A02

Insecure Temporary File

Python

CWE-377

OWASP:A01

Insecure Xml Parser

Python

CWE-611

OWASP:A05

Insecure default value

Python

CWE-453

Insufficient Session Expiration

Java, Kotlin, Scala

CWE-613

OWASP:A07

Insufficient postMessage Validation

JavaScript

CWE-20

SANS Top 25, OWASP:A03

Integer Overflow

C++

CWE-190

SANS Top 25

Introspection Enabled

JavaScript

CWE-200

OWASP:A01

JWT 'none' Algorithm Supported

JavaScript

CWE-347

OWASP:A02

JWT Signature Verification Bypass

Java

CWE-347

OWASP:A02

JWT Signature Verification Method Disabled

JavaScript

CWE-347

OWASP:A02

Java Naming and Directory Interface (JNDI) Injection

Java, Kotlin, Scala

CWE-074

JavaScript Enabled

Java, Kotlin

CWE-79

SANS Top 25, OWASP:A03

Jinja auto-escape is set to false.

Python

CWE-79

SANS Top 25, OWASP:A03

LDAP Injection

C#, C++, Java, Kotlin, Python, Scala

CWE-90

OWASP:A03

Log Forging

C#

CWE-117

OWASP:A09

Memory Allocation Of String Length

C++

CWE-170

Memory Corruption

Swift

CWE-822

Missing Release of File Descriptor or Handle after Effective Lifetime

C++

CWE-775

Missing Release of Memory after Effective Lifetime

C++

CWE-401

No Weak Password Requirements

Ruby

CWE-521

OWASP:A07

NoSQL Injection

Java, JavaScript, Python

CWE-943

Observable Timing Discrepancy

Rust

CWE-208

Observable Timing Discrepancy (Timing Attack)

Java, JavaScript, Kotlin, Scala

CWE-208

Open Redirect

Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic

CWE-601

OWASP:A01

Origin Validation Error

Java, JavaScript, Kotlin, PHP, Python, Rust, Scala

CWE-346, CWE-942

OWASP:A05, OWASP:A07

Password Requirements Not Enforced in Django Application

Python

CWE-521

OWASP:A07

Path Traversal

C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-23

OWASP:A01

Permissive Cross-domain Policy

JavaScript

CWE-942

OWASP:A05

Potential Negative Number Used as Index

C++

CWE-125, CWE-787

SANS Top 25

Potential buffer overflow from usage of unsafe function

C++

CWE-122

Privacy Leak

Java

CWE-532

OWASP:A09

Process Control

Java, Kotlin, Scala

CWE-114

Prototype Pollution

JavaScript

CWE-1321

Python 2 source code

Python

CWE-1104

OWASP:A06

Regular Expression Denial of Service (ReDoS)

JavaScript, PHP, Python, Ruby

CWE-400

Regular expression injection

Apex, C#, Java, Kotlin, Scala, Visual Basic

CWE-400, CWE-730

Remote Code Execution via Endpoint

Ruby

CWE-

문제 정답

------------------------------------------

-------------------------------------------

------------

------------------------------------------------

요청 유효성 검사 비활성화

C#, Visual Basic, XML

CWE-554

Sans Top 25, OWASP:A03

SOQL 인젝션

Apex

CWE-89

Sans Top 25, OWASP:A03

SOSL 인젝션

Apex

CWE-89

Sans Top 25, OWASP:A03

SQL 인젝션

C#, C++, Go, Java, JavaScript, Kotlin 등

CWE-89

Sans Top 25, OWASP:A03

협상 중 보안 알고리즘 사용 미지정 (Force SSL)

Ruby

CWE-311, CWE-757

OWASP:A04, OWASP:A02

협상 중 보안 알고리즘 사용 미지정 (SSL 대신 TLS)

Python

CWE-757

OWASP:A02

'HttpOnly' 플래그가 없는 민감한 쿠키

C#, Go, Java, JavaScript, Kotlin, PHP, Python 등

CWE-1004

OWASP:A05

HTTPS 세션에서 'Secure' 속성이 없는 민감한 쿠키

Apex, C#, Go, Java, JavaScript, Kotlin 등

CWE-614

OWASP:A05

서버 정보 노출

Java, Kotlin, Python, Scala

CWE-209

OWASP:A04

서버 측 요청 위조 (SSRF)

Apex, C#, C++, Go, Java, JavaScript 등

CWE-918

Sans Top 25, OWASP:A10

세션 조작

Ruby

CWE-285

OWASP:A01

Sinatra 보호 계층 비활성화

Ruby

CWE-1021, CWE-16, CWE-348, CWE-35 등

Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04

인덱스로 사용 된 크기

C++

CWE-125, CWE-787

Sans Top 25

Spring CSRF (Cross-Site Request Forgery)

Java

CWE-352

Sans Top 25, OWASP:A01

Struts 개발 모드 활성화

XML

CWE-489

암호문이 제공된 평문과 같음

Java, Kotlin, Scala

CWE-311

OWASP:A04

신뢰 경계 위반

Java, Kotlin, Scala

CWE-501

OWASP:A04

무단 파일 액세스

Java, Kotlin

CWE-79

Sans Top 25, OWASP:A03

루프 조건에 대한 검증되지 않은 입력

JavaScript

CWE-400, CWE-606

자격 증명의 보호되지 않은 저장

Java, Kotlin, Scala

CWE-256

OWASP:A04

제한없는 Android 브로드캐스트

Java, Kotlin

CWE-862

Sans Top 25, OWASP:A01

안전하지 않은 JQuery 플러그인

JavaScript

CWE-116, CWE-79

Sans Top 25, OWASP:A03

안전하지 않은 리플렉션

Java, Ruby

CWE-470

OWASP:A03

안전하지 않은 SOQL 연결

Apex

CWE-89

Sans Top 25, OWASP:A03

안전하지 않은 SOSL 연결

Apex

CWE-89

Sans Top 25, OWASP:A03

검증되지 않은 비밀번호 변경

Apex

CWE-620

OWASP:A07

BinaryFormatter 사용

C#, Visual Basic

CWE-502

Sans Top 25, OWASP:A08

사용 후 메모리 해제

C++

CWE-416

Sans Top 25

XSS 위험을 명시적으로 처리하기 위해 dangerouslySetInnerHTML 사용

JavaScript

CWE-79

Sans Top 25, OWASP:A03

만료된 파일 설명자 사용

C++

CWE-910

외부로 제어되는 형식 문자열 사용

C++, Java, JavaScript, Kotlin, Scala

CWE-134

하드코딩된 자격 증명 사용

Apex, C#, Go, Java, JavaScript 등

CWE-259, CWE-798

Sans Top 25, OWASP:A07

초기화 값의 하드코딩 사용

Python

CWE-329

OWASP:A02

하드코딩된 보안 초기화 값 사용

C++, Python, Ruby

CWE-321

OWASP:A02

하드코딩된 비밀번호 사용

Apex, Go, Java, JavaScript 등

CWE-259, CWE-798

Sans Top 25, OWASP:A07

하드코딩된 보안 관련 상수 사용

Java, Kotlin, Scala

CWE-547

OWASP:A05

충분히 랜덤한 값 사용

C#, Go, Java, JavaScript, Kotlin 등

CWE-330

OWASP:A02

계산 노력이 부족한 비밀번호 해시 사용

Apex, C#, C++, Go, Java, JavaScript 등

CWE-916

OWASP:A02

잠재적으로 위험한 함수 사용

Java, Kotlin, Scala

CWE-676

Sticky 브로드캐스트 사용

Java, Kotlin

CWE-265

취약한 또는 위험한 암호 알고리즘 사용

C#, Go, Java, JavaScript 등

CWE-327

OWASP:A02

사용자 제어 포인터 사용

C++

CWE-1285

잊어버린 비밀번호의 약한 복구 메커니즘

JavaScript

CWE-640

OWASP:A07

XAML 인젝션

C#

CWE-611

OWASP:A05

XML 외부 엔티티 (XXE) 인젝션

C#, C++, Java, JavaScript, Kotlin 등

CWE-611

OWASP:A05

XML 인젝션

Apex, C#, Visual Basic

CWE-91

OWASP:A03

XPath 인젝션

C#, C++, Go, Java, JavaScript 등

CWE-643

OWASP:A03

PreviousSnyk 코드 사용자 지정 규칙에 대한 모범 사례NextApex 규칙

Last updated