registry  /  @oneuptime/common  /  11.5.0

@oneuptime/common@11.5.0

The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 22 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5,017 file(s), 37.3 MB of source, external domains: 130.211.213.119, accounts.google.com, adaptivecards.io, api.anthropic.com, api.example.com, api.github.com, api.groq.com, api.mistral.ai, api.openai.com, api.slack.com, api.telegram.org, api.yourcompany.com, catfact.ninja, core.telegram.org, developer.microsoft.com, discord.com, docs.example.com, example.com, gateway.example.com, github.com, graph.microsoft.com, hcaptcha.com, hooks.slack.com, idp.example.com, invoices.oneuptime.com, learn.microsoft.com, login.microsoftonline.com, mail.google.com, oauth2.googleapis.com, oneuptime.com, oneuptime.example, opentelemetry.io, outlook.office365.com, reseller.oneuptime.com, schema.org, short.url, slack.com, smba.trafficmanager.net, sso.example.com, statics.teams.cdn.office.net, support.discord.com, t.me, vllm.local, www.example.com, www.w3.org, xxxxx.webhook.office.com

Source & flagged code

13 flagged · loading source
Tests/Server/Utils/AI/ToolResultSerializer.test.tsView file
172patternName = aws_access_key severity = critical line = 172 matchedText = "aws_key...-1",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

Tests/Server/Utils/AI/ToolResultSerializer.test.tsView on unpkg · L172
159patternName = private_key_rsa severity = critical line = 159 matchedText = const ke...----
Critical
Secret Pattern

RSA private key in Tests/Server/Utils/AI/ToolResultSerializer.test.ts

Tests/Server/Utils/AI/ToolResultSerializer.test.tsView on unpkg · L159
172patternName = aws_access_key severity = critical line = 172 matchedText = "aws_key...-1",
Critical
Secret Pattern

AWS access key ID in Tests/Server/Utils/AI/ToolResultSerializer.test.ts

Tests/Server/Utils/AI/ToolResultSerializer.test.tsView on unpkg · L172
175patternName = aws_access_key severity = critical line = 175 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in Tests/Server/Utils/AI/ToolResultSerializer.test.ts

Tests/Server/Utils/AI/ToolResultSerializer.test.tsView on unpkg · L175
Server/Utils/VM/VMRunner.tsView file
3import { JSONObject, JSONValue } from "../../../Types/JSON"; L4: import axios, { AxiosResponse } from "axios"; L5: import crypto from "crypto"; ... L88: * Block Playwright methods that can spawn processes or access internals. L89: * Prevents RCE via browser.browserType().launch({executablePath:"/bin/sh"}) L90: * and traversal via page.context().browser().browserType().launch(...) ... L359: @CaptureSpan() L360: public static async runCodeInNodeVM(data: { L361: code: string; ... L646: try { L647: metric.attributes = JSON.parse(attributesJson) as JSONObject; L648: } catch {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

Server/Utils/VM/VMRunner.tsView on unpkg · L3
Server/Services/DockerHostService.tsView file
57@CaptureSpan() L58: public async findOrCreateByHostIdentifier(data: { L59: projectId: ObjectID;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

Server/Services/DockerHostService.tsView on unpkg · L57
Server/Services/UserWebhookService.tsView file
99L100: private validateWebhookUrl(rawUrl: string): void { L101: let parsed: URL; ... L108: const protocolValue: string = parsed.protocol.toString().toLowerCase(); L109: if (protocolValue !== "http://" && protocolValue !== "https://") { L110: throw new BadDataException(
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

Server/Services/UserWebhookService.tsView on unpkg · L99
test-setup.shView file
path = test-setup.sh kind = build_helper sizeBytes = 1520 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

test-setup.shView on unpkg
UI/Fonts/materialdesignicons-webfont.woff2View file
path = UI/Fonts/materialdesignicons-webfont.woff2 kind = high_entropy_blob sizeBytes = 325244 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

UI/Fonts/materialdesignicons-webfont.woff2View on unpkg
Models/DatabaseModels/RunbookSecret.tsView file
239patternName = stripe_test_secret severity = high line = 239 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in Models/DatabaseModels/RunbookSecret.ts

Models/DatabaseModels/RunbookSecret.tsView on unpkg · L239
Models/DatabaseModels/MonitorSecret.tsView file
239patternName = stripe_test_secret severity = high line = 239 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in Models/DatabaseModels/MonitorSecret.ts

Models/DatabaseModels/MonitorSecret.tsView on unpkg · L239
build/dist/Models/DatabaseModels/MonitorSecret.jsView file
197patternName = stripe_test_secret severity = high line = 197 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in build/dist/Models/DatabaseModels/MonitorSecret.js

build/dist/Models/DatabaseModels/MonitorSecret.jsView on unpkg · L197
build/dist/Models/DatabaseModels/RunbookSecret.jsView file
197patternName = stripe_test_secret severity = high line = 197 matchedText = example:...op",
High
Secret Pattern

Stripe test secret key in build/dist/Models/DatabaseModels/RunbookSecret.js

build/dist/Models/DatabaseModels/RunbookSecret.jsView on unpkg · L197

Findings

4 Critical6 High5 Medium7 Low
CriticalCritical SecretTests/Server/Utils/AI/ToolResultSerializer.test.ts
CriticalSecret PatternTests/Server/Utils/AI/ToolResultSerializer.test.ts
CriticalSecret PatternTests/Server/Utils/AI/ToolResultSerializer.test.ts
CriticalSecret PatternTests/Server/Utils/AI/ToolResultSerializer.test.ts
HighCloud Metadata AccessServer/Services/UserWebhookService.ts
HighShips High Entropy BlobUI/Fonts/materialdesignicons-webfont.woff2
HighSecret PatternModels/DatabaseModels/RunbookSecret.ts
HighSecret PatternModels/DatabaseModels/MonitorSecret.ts
HighSecret Patternbuild/dist/Models/DatabaseModels/MonitorSecret.js
HighSecret Patternbuild/dist/Models/DatabaseModels/RunbookSecret.js
MediumUnsafe Vm ContextServer/Utils/VM/VMRunner.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertest-setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak CryptoServer/Services/DockerHostService.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings