Node.Security

Security Audit of Mean

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues
Issue Description Line File
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 39 modules/core/client/directives/show-errors.client.directives.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 180 modules/users/server/models/user.server.model.js
Username Hardcoded A hardcoded username in plain text was identified. Store it properly in a config file. 42 modules/users/server/config/strategies/facebook.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 61 modules/users/tests/client/password-verify.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 62 modules/users/tests/client/password-verify.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 74 modules/users/tests/client/password-verify.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 75 modules/users/tests/client/password-verify.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 58 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 69 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 80 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 91 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 103 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 115 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 127 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 139 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 151 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 163 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 172 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 181 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 190 modules/users/tests/client/password-validator.client.directive.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 199 modules/users/tests/client/password-validator.client.directive.tests.js
Username Hardcoded A hardcoded username in plain text was identified. Store it properly in a config file. 62 modules/users/tests/server/user.server.routes.tests.js
Username Hardcoded A hardcoded username in plain text was identified. Store it properly in a config file. 710 modules/users/tests/server/user.server.routes.tests.js
Username Hardcoded A hardcoded username in plain text was identified. Store it properly in a config file. 762 modules/users/tests/server/user.server.routes.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 234 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 250 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 284 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 293 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 303 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 313 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 323 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 333 modules/users/tests/server/user.server.model.tests.js
Password Hardcoded A hardcoded password in plain text was identified. Store it properly in a config file. 343 modules/users/tests/server/user.server.model.tests.js
Missing Security Features
Issue Description
Missing Security Header - Content-Security-Policy (CSP) Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
Missing Security Header - Public-Key-Pins (HPKP) Public-Key-Pins (HPKP) ensures that certificate is Pinned.
Outdated Libraries
File Library Reference