FixVibe

// code / spotlight

Risky Source-Code Patterns

eval(), dangerouslySetInnerHTML, hard-coded secrets โ€” the patterns SAST has been catching for 25 years.

Kaitnya

Most exploits in production codebases don't require novel research. They require a grep for `eval(` and a question about where the input came from. Static-analysis tooling has been catching the same small set of high-confidence patterns for two and a half decades โ€” eval-with-user-input, dangerouslySetInnerHTML, exec-with-string, hard-coded credentials, unsafe deserialization, weak crypto primitives โ€” and yet they keep showing up in modern code because the alternatives feel like more work in the moment. The bug class is well-understood; the persistence is operational. SAST works best when you accept that 95% of findings are signal, not noise, and treat the patterns as anti-patterns in code review.

Cara kerjanya

Each language has a small list of constructs that turn data into code: `eval()`, `Function(string)`, `setTimeout(string)`, `pickle.loads()` in Python, `Marshal.load` in Ruby, `unserialize()` in PHP. Combined with user input, they're vulnerabilities. Each language also has framework-specific opt-out paths from safety: React's `dangerouslySetInnerHTML`, Vue's `v-html`, Angular's `bypassSecurityTrust*`. And every codebase has a long tail of hard-coded credentials โ€” Stripe keys, Supabase service-role JWTs, internal API tokens โ€” that survived from a 'temporary' commit in 2022. The SAST patterns we run are conservative: high-precision (low false-positive rate) at the cost of recall. We'd rather flag five real bugs than fifty maybe-bugs that lead the team to ignore the report.

Varian-variannya

eval / Function constructor

Direct code execution from a string. Combined with any user-controllable input, RCE-class. Even without user input, hard to refactor and harder to verify safe.

dangerouslySetInnerHTML / v-html

React / Vue opt-out from XSS-safe rendering. Sometimes legitimate (rendering server-sanitized markdown), more often a code smell.

Hard-coded service-role keys

Supabase service-role JWT, Firebase admin SDK creds, Stripe sk_live_, internal API tokens checked into source. The service-role key in client-side code bypasses RLS entirely.

Unsafe deserialization

Python `pickle.loads`, Ruby `Marshal.load`, Java native serialization, PHP `unserialize`. RCE on untrusted input โ€” these classes have been exploited at industrial scale.

Radius dampak

Tracks the pattern: eval is RCE, dangerouslySetInnerHTML is XSS, service-role-key embed is full database access bypassing RLS, hard-coded sk_live is billing takeover, unsafe deserialization is RCE. Each pattern catches one or more breaches per year somewhere in the industry; in your codebase, each is a potential incident waiting to be exploited.

// apa yang fixvibe periksa

Apa yang FixVibe periksa

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Pertahanan kokoh

Adopt the patterns as anti-patterns in code review โ€” make 'why does this code use eval?' a standard PR question. Add an ESLint config like `eslint-plugin-security`, `eslint-plugin-security-node`, or your language's equivalent (Bandit for Python, RuboCop's security cops for Ruby, Brakeman for Rails). Block secret leakage at commit time with gitleaks or trufflehog pre-commit hooks; the muscle memory of 'oh I shouldn't commit that' is more reliable than 'I should remember to remove it later.' Replace `dangerouslySetInnerHTML` with explicit DOMPurify calls when you need user-supplied HTML. Move all credentials into environment variables, fronted by a secret manager (Doppler, Vercel env, AWS Secrets Manager, HashiCorp Vault). For deserialization on untrusted input, use schema-validated JSON via Zod / Yup / Pydantic โ€” never the language-native serialization formats.

// run it on your own app

Terus rilis sementara FixVibe yang berjaga.

FixVibe menguji permukaan publik app kamu sebagaimana seorang penyerang akan melakukannya โ€” tanpa agent, tanpa instalasi, tanpa kartu. Kami terus meneliti pola kerentanan baru dan mengubahnya jadi check praktis serta perbaikan siap-tempel untuk Cursor, Claude, dan Copilot.

Kode sumber
116
tes yang dijalankan di kategori ini
modules
76
check kode sumber khusus
setiap pemindaian
487+
tes di seluruh kategori
  • Gratis โ€” tanpa kartu kredit, tanpa instalasi, tanpa ping Slack
  • Cukup tempel URL โ€” kami crawl, probe, dan laporkan
  • Temuan berperingkat severity, di-dedupe jadi sinyal saja
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Jalankan scan gratis โ†’

// latest checks ยท practical fixes ยท ship with confidence

Risky Source-Code Patterns โ€” Sorotan Kerentanan | FixVibe ยท FixVibe