Security Test: Unsafe Function Use¶

Description¶

Default Severity:

Certain functions in web applications may introduce security risks, such as SQL injection, XSS, or remote code execution. The presence of such functions in your codebase can lead to severe vulnerabilities. It is crucial to identify and replace unsafe functions with secure alternatives and follow best security practices.

Configuration¶

Identifier: configuration/unsafe_function_use

Examples¶

All configuration available:

checks:
  configuration/unsafe_function_use:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM05:2023
PCI DSS	`6.2`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.6`
NIST	`SP800-40`
FedRAMP	`SI-2`
CWE	`676`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C`
CVSS Score	`9.0`

Remediation¶

To address this issue, avoid using unsafe functions like eval(), document.write(), innerHTML, and system() where possible. Instead, use secure alternatives such as safe DOM manipulation methods, parameterized queries, and strict input validation. Regularly review security advisories and update dependencies to minimize risks.

Frontend Specific¶

React

Avoid using dangerouslySetInnerHTML and prefer state-based rendering for dynamic content.

Angular

Avoid bypassSecurityTrust methods; use Angular's built-in sanitization instead.

Vue

Avoid using v-html for rendering dynamic content; prefer computed properties or methods.

Svelte

Avoid using innerHTML and prefer safe bindings for data output.

REST Specific¶

Express_js

Avoid using eval(), new Function(), and user-controlled data in exec(); use secure alternatives.

Django

Use Django's built-in ORM and template engine to prevent injection vulnerabilities.

Laravel

Avoid raw SQL queries; use Laravel's Query Builder and ORM to ensure data safety.

Spring_boot

Use PreparedStatements and avoid String concatenation in SQL queries.

Flask

Use parameterized queries and escape input properly to prevent injection attacks.

Fastapi

Use Pydantic for input validation and avoid direct execution of user-supplied code.

Koa

Avoid unsafe function execution and use secure middleware for sanitization.

Hapi

Enforce input validation using Joi and avoid executing untrusted input.