registry  /  @oneuptime/common  /  11.3.16

@oneuptime/common@11.3.16

The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5,017 file(s), 37.7 MB of source, external domains: accounts.google.com, adaptivecards.io, api.anthropic.com, api.example.com, api.github.com, api.groq.com, api.mistral.ai, api.openai.com, api.slack.com, api.telegram.org, api.yourcompany.com, catfact.ninja, core.telegram.org, developer.microsoft.com, discord.com, docs.example.com, example.com, github.com, graph.microsoft.com, hcaptcha.com, hooks.slack.com, idp.example.com, invoices.oneuptime.com, learn.microsoft.com, login.microsoftonline.com, mail.google.com, oauth2.googleapis.com, oneuptime.com, opentelemetry.io, outlook.office365.com, reseller.oneuptime.com, schema.org, short.url, slack.com, smba.trafficmanager.net, sso.example.com, statics.teams.cdn.office.net, support.discord.com, t.me, www.example.com, www.w3.org, xxxxx.webhook.office.com

Source & flagged code

10 flagged · loading source
Models/DatabaseModels/RunbookSecret.tsView file
239patternName = stripe_test_secret severity = high line = 239 matchedText = example:...op",
High
High Secret

Package contains a high-severity secret pattern.

Models/DatabaseModels/RunbookSecret.tsView on unpkg · L239
239patternName = stripe_test_secret severity = high line = 239 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in Models/DatabaseModels/RunbookSecret.ts

Models/DatabaseModels/RunbookSecret.tsView on unpkg · L239
Server/Utils/VM/VMRunner.tsView file
3import { JSONObject, JSONValue } from "../../../Types/JSON"; L4: import axios, { AxiosResponse } from "axios"; L5: import crypto from "crypto"; ... L88: * Block Playwright methods that can spawn processes or access internals. L89: * Prevents RCE via browser.browserType().launch({executablePath:"/bin/sh"}) L90: * and traversal via page.context().browser().browserType().launch(...) ... L359: @CaptureSpan() L360: public static async runCodeInNodeVM(data: { L361: code: string; ... L646: try { L647: metric.attributes = JSON.parse(attributesJson) as JSONObject; L648: } catch {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

Server/Utils/VM/VMRunner.tsView on unpkg · L3
Server/Services/DockerHostService.tsView file
57@CaptureSpan() L58: public async findOrCreateByHostIdentifier(data: { L59: projectId: ObjectID;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

Server/Services/DockerHostService.tsView on unpkg · L57
Server/Services/UserWebhookService.tsView file
99L100: private validateWebhookUrl(rawUrl: string): void { L101: let parsed: URL; ... L108: const protocolValue: string = parsed.protocol.toString().toLowerCase(); L109: if (protocolValue !== "http://" && protocolValue !== "https://") { L110: throw new BadDataException(
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

Server/Services/UserWebhookService.tsView on unpkg · L99
test-setup.shView file
path = test-setup.sh kind = build_helper sizeBytes = 1520 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

test-setup.shView on unpkg
UI/Fonts/materialdesignicons-webfont.woff2View file
path = UI/Fonts/materialdesignicons-webfont.woff2 kind = high_entropy_blob sizeBytes = 325244 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

UI/Fonts/materialdesignicons-webfont.woff2View on unpkg
Models/DatabaseModels/MonitorSecret.tsView file
239patternName = stripe_test_secret severity = high line = 239 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in Models/DatabaseModels/MonitorSecret.ts

Models/DatabaseModels/MonitorSecret.tsView on unpkg · L239
build/dist/Models/DatabaseModels/MonitorSecret.jsView file
197patternName = stripe_test_secret severity = high line = 197 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in build/dist/Models/DatabaseModels/MonitorSecret.js

build/dist/Models/DatabaseModels/MonitorSecret.jsView on unpkg · L197
build/dist/Models/DatabaseModels/RunbookSecret.jsView file
197patternName = stripe_test_secret severity = high line = 197 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in build/dist/Models/DatabaseModels/RunbookSecret.js

build/dist/Models/DatabaseModels/RunbookSecret.jsView on unpkg · L197

Findings

7 High5 Medium7 Low
HighHigh SecretModels/DatabaseModels/RunbookSecret.ts
HighCloud Metadata AccessServer/Services/UserWebhookService.ts
HighShips High Entropy BlobUI/Fonts/materialdesignicons-webfont.woff2
HighSecret PatternModels/DatabaseModels/RunbookSecret.ts
HighSecret PatternModels/DatabaseModels/MonitorSecret.ts
HighSecret Patternbuild/dist/Models/DatabaseModels/MonitorSecret.js
HighSecret Patternbuild/dist/Models/DatabaseModels/RunbookSecret.js
MediumUnsafe Vm ContextServer/Utils/VM/VMRunner.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertest-setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak CryptoServer/Services/DockerHostService.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings