<< Back to security report
Repositorydicklesworthstone/pi_agent_rust →
Commit895269a →
VerdictFAIL
Score0
DateMay 29, 2026
| Severity | Rule | Message | File:Line |
|---|---|---|---|
| MEDIUM | express_cors | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/analytics.js:0 → |
| MEDIUM | express_cors | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/claude-api-proxy.js:0 → |
| MEDIUM | express_cors | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/plugin-dashboard.js:0 → |
| MEDIUM | express_cors | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/sandbox-server.js:0 → |
| MEDIUM | express_cors | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/skill-dashboard.js:0 → |
| HIGH | generic_header_injection | If user input is not properly sanitized, an attacker can insert malicious data into response headers. This can lead to HTTP response splitting, where an attacker injects additional headers or even full HTTP responses, potentially altering how clients or intermediaries (e.g., proxies) handle the request. This can lead to vulnerabilities like Cross-Site Scripting (XSS) and cache poisoning. Always sanitize and validate user inputs to ensure they do not contain characters or data that could alter the header structure (e.g., newline characters, control characters). Another good option is to leverage well-established libraries or frameworks that handle headers securely. Many frameworks offer built-in methods for setting headers that ensure they are correctly formatted and safe. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/doom-overlay/doom/build/doom.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/index.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/index.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/index.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/index.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/sdk/global-agent-manager.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/session-sharing.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/skill-dashboard.js:0 → |
| MEDIUM | join_resolve_path_traversal | Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/scripts/dev-server.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/api/discord/interactions.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/analytics-web/components/ToolDisplay.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/analytics-web/components/ToolDisplay.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/analytics/notifications/NotificationManager.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/analytics/notifications/WebSocketServer.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/console-bridge.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/console-bridge.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/sandbox-server.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/tracking-service.js:0 → |
| MEDIUM | node_insecure_random_generator | crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/tracking-service.js:0 → |
| HIGH | node_logic_bypass | User controlled data is used for application business logic decision making. This expose protected data or functionality. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/community/tmustier-arcade-mario-not/logic.js:0 → |
| HIGH | node_logic_bypass | User controlled data is used for application business logic decision making. This expose protected data or functionality. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/npm/pi-extensions/arcade/mario-not/logic.js:0 → |
| HIGH | node_logic_bypass | User controlled data is used for application business logic decision making. This expose protected data or functionality. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/npm/tmustier-pi-arcade/mario-not/logic.js:0 → |
| MEDIUM | node_username | A hardcoded username in plain text is identified. Store it properly in an environment variable. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/file-operations.js:0 → |
| MEDIUM | node_username | A hardcoded username in plain text is identified. Store it properly in an environment variable. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/file-operations.js:0 → |
| MEDIUM | regex_dos | Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/validation/validators/IntegrityValidator.js:0 → |
| MEDIUM | regex_dos | Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/validation/validators/IntegrityValidator.js:0 → |
| MEDIUM | regex_dos | Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/validation/validators/ProvenanceValidator.js:0 → |
| MEDIUM | regex_dos | Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/validation/validators/StructuralValidator.js:0 → |
| HIGH | yaml_deserialize | User controlled data in 'yaml.load()' function can result in Remote Code Injection. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/skill-dashboard.js:0 → |
| HIGH | yaml_deserialize | User controlled data in 'yaml.load()' function can result in Remote Code Injection. | dicklesworthstone/pi_agent_rust/postgresql-afbe509a/tests/ext_conformance/artifacts/templates-davila7/cli-tool/src/validation/validators/StructuralValidator.js:0 → |