precedents top-level constant

List<String> const precedents

Precedent rules for common patterns.

Implementation

const List<String> precedents = [
  'Logging high-value secrets in plaintext is a vulnerability; logging URLs '
      'is assumed safe',
  'UUIDs can be assumed unguessable and do not need validation',
  'Environment variables and CLI flags are trusted values — attacks requiring '
      'control of an env var are invalid',
  'Resource management issues (memory or file descriptor leaks) are not valid',
  'Subtle or low-impact web vulnerabilities (tabnabbing, XS-Leaks, prototype '
      'pollution, open redirects) should not be reported unless extremely high '
      'confidence',
  'React and Angular are generally secure against XSS — do not report XSS '
      'unless using dangerouslySetInnerHTML, bypassSecurityTrustHtml, or similar',
  'Most GitHub Action workflow vulnerabilities are not exploitable in practice',
  'Lack of permission checking in client-side JS/TS is not a vulnerability — '
      'validation is the server\'s responsibility',
  'Most iPython notebook (.ipynb) vulnerabilities are not exploitable in practice',
  'Logging non-PII data is not a vulnerability, even if potentially sensitive',
  'Only include MEDIUM findings if they are obvious and concrete issues',
  'Command injection in shell scripts is generally not exploitable since they '
      'don\'t run with untrusted user input',
];