Always sanitize user inputs
Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
Avoid Blocking Calls to Async Methods
Blocking async methods with `.Result` or `.Wait()` can cause deadlocks and prevent efficient asynchronous execution. Use `await` instead for proper async behavior.
Avoid Duplicating String Literals
Store repeated string literals in constants or variables to improve maintainability and reduce redundancy.
Avoid Empty Methods
Detect methods that have an empty body. If a method is empty, ensure that a comment is present explaining why it remains unimplemented.
Avoid equality operators in loop termination conditions
Check if loops use equality operators (== or !=) in termination conditions. These can lead to infinite loops if the condition is never met exactly. Instead, use relational operators like < or > for safer loop termination.
Avoid Equality Operators in Loop Termination Conditions
Ensure that relational operators (`<`, `>`) are used instead of equality operators (`==`, `!=`) in loop termination conditions.
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
Avoid Redundant `None` Comparisons
Identify cases where `x is None` or `x is not None` is used redundantly when `x` is always or never `None`. This may indicate a deeper logic issue.
Avoid Returning Null in Non-Async Task Methods
Returning null from a Task or Task<T> method causes a NullReferenceException if awaited. Use Task.CompletedTask or Task.FromResult<T>(null) instead.
Avoid unprotected HTTP request redirections
Check if HTTP request redirections are unvalidated. Allowing arbitrary redirections can expose users to phishing attacks. Recommend validating and restricting URLs.
Avoid Using Boolean Expressions in `except` Statements
Detect `except` clauses that use `or` or `and` to catch multiple exceptions. This does not work as intended. Recommend using a tuple of exceptions instead.
Avoid using eval
Detect the use of eval(). Eval allows execution of arbitrary code, leading to security vulnerabilities such as code injection. Recommend safer alternatives like function execution.
Block risky database migrations (locking ops, downtime risk)
Review SQL/database migrations for operations that can lock large tables or cause downtime. Examples: creating indexes without CONCURRENTLY (Postgres), ALTER COLUMN TYPE on big tables, adding NOT NULL without backfill, long-running updates without batching. Require an online migration strategy (CONCURRENTLY, backfill in batches, dual-write/expand-contract) and a rollback plan.
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
Children's data: verify age and parental consent
If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.
Create a New Session on User Authentication
Ensure that a new session is always created upon user authentication to prevent session fixation attacks.
CSRF Protection Should Always Be Enabled
Disabling CSRF protection allows attackers to trick users into performing unintended actions, such as modifying account details or making unauthorized transactions.
Deletion requests: anonymize or hard-delete PII irreversibly
On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.
Disallow CVV/CVC persistence anywhere
Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
Do Not Call `wait()` When Holding Multiple Locks
Ensure that `wait()` is not called while holding multiple locks to prevent deadlocks.
Do Not Define Environment Variables from Untrusted Input
Ensure that external user input is properly sanitized before being used to define environment variables.
Don’t Create Exceptions Without Raising Them
Identify instances where an exception object is created but never raised. This is likely an oversight and should either be removed or properly raised.
// library
Severity
Bucket
Always sanitize user inputs
Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
Avoid Blocking Calls to Async Methods
Blocking async methods with `.Result` or `.Wait()` can cause deadlocks and prevent efficient asynchronous execution. Use `await` instead for proper async behavior.
Avoid Duplicating String Literals
Store repeated string literals in constants or variables to improve maintainability and reduce redundancy.
Avoid Empty Methods
Detect methods that have an empty body. If a method is empty, ensure that a comment is present explaining why it remains unimplemented.
Avoid equality operators in loop termination conditions
Check if loops use equality operators (== or !=) in termination conditions. These can lead to infinite loops if the condition is never met exactly. Instead, use relational operators like < or > for safer loop termination.
Avoid Equality Operators in Loop Termination Conditions
Ensure that relational operators (`<`, `>`) are used instead of equality operators (`==`, `!=`) in loop termination conditions.
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
Avoid Redundant `None` Comparisons
Identify cases where `x is None` or `x is not None` is used redundantly when `x` is always or never `None`. This may indicate a deeper logic issue.
Avoid Returning Null in Non-Async Task Methods
Returning null from a Task or Task<T> method causes a NullReferenceException if awaited. Use Task.CompletedTask or Task.FromResult<T>(null) instead.
Avoid unprotected HTTP request redirections
Check if HTTP request redirections are unvalidated. Allowing arbitrary redirections can expose users to phishing attacks. Recommend validating and restricting URLs.
Avoid Using Boolean Expressions in `except` Statements
Detect `except` clauses that use `or` or `and` to catch multiple exceptions. This does not work as intended. Recommend using a tuple of exceptions instead.
Avoid using eval
Detect the use of eval(). Eval allows execution of arbitrary code, leading to security vulnerabilities such as code injection. Recommend safer alternatives like function execution.
Block risky database migrations (locking ops, downtime risk)
Review SQL/database migrations for operations that can lock large tables or cause downtime. Examples: creating indexes without CONCURRENTLY (Postgres), ALTER COLUMN TYPE on big tables, adding NOT NULL without backfill, long-running updates without batching. Require an online migration strategy (CONCURRENTLY, backfill in batches, dual-write/expand-contract) and a rollback plan.
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
Children's data: verify age and parental consent
If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.
Create a New Session on User Authentication
Ensure that a new session is always created upon user authentication to prevent session fixation attacks.
CSRF Protection Should Always Be Enabled
Disabling CSRF protection allows attackers to trick users into performing unintended actions, such as modifying account details or making unauthorized transactions.
Deletion requests: anonymize or hard-delete PII irreversibly
On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.
Disallow CVV/CVC persistence anywhere
Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
Do Not Call `wait()` When Holding Multiple Locks
Ensure that `wait()` is not called while holding multiple locks to prevent deadlocks.
Do Not Define Environment Variables from Untrusted Input
Ensure that external user input is properly sanitized before being used to define environment variables.
Don’t Create Exceptions Without Raising Them
Identify instances where an exception object is created but never raised. This is likely an oversight and should either be removed or properly raised.