Hello JavaScript and TypeScript developers,
The JS and TS analyzers were upgraded to detect 6 additional Security Hotspots. With these rules, SonarCloud will guide you to review your code looking for:
- the use of clear-text protocols such as as
ftp
,telnet
or non securehttp
lacking encryption of transported data - code expanding untrusted archive files without controlling the size of the expanded data (potential zip bomb attacks)
- not enough restricted file permissions leading to unintended access to files
Here is the list of Security Hotspots added:
- S5332: Using clear-text protocols is security-sensitive
- S1313: Using hardcoded IP addresses is security-sensitive
- S5042: Expanding archive files without controlling resource consumption is security-sensitive
- S5443: Using publicly writable directories is security-sensitive
- S2612: Setting loose POSIX file permissions is security-sensitive
- S5876: A new session should be created during user authentication
These rules are available now for both JavaScript and TypeScript on SonarCloud, and will be included in SonarQube 8.7.
Alex