Code Security Audit Results #791
Description
Hello,
I have some results of a security audit from my company's internal IT department that they said I could share with everyone. Medium or higher prevents usage of any software. It would be very helpful for future versions if someone might be able to take a look at these. I'm not really a strong coder so I cannot be much help myself. Thanks!
| check_id | severity | path | message | License | Vulnerability | Source | Do we have control to remediate? | If possible to remediate, how will this affect functionality? |
|---|---|---|---|---|---|---|---|---|
| javascript.browser.security.insecure-document-method.insecure-document-method | HIGH | sokrypton-ColabDesign-16e03c2/colabdesign/rf/blueprint.js | User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities | Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license | Cross-Site-Scripting (XSS) | https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method | ||
| trailofbits.python.pickles-in-numpy.pickles-in-numpy | HIGH | sokrypton-ColabDesign-16e03c2/colabdesign/tr/legacy/model.py | Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method | AGPL-3.0 license | Insecure Deserialization | https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy | ||
| trailofbits.python.pickles-in-numpy.pickles-in-numpy | HIGH | sokrypton-ColabDesign-16e03c2/colabdesign/tr/trrosetta.py | Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method | AGPL-3.0 license | Insecure Deserialization | https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy |