BetaViberTest is in active development — expect breaking changes.
VIBERTEST
Overview
DocsRulesSecurity Anti-Patterns
#019highSecurity & Compliance

Security Anti-Patterns

Detects SQL injection, eval(), CORS wildcards, XSS vectors, and insecure crypto.

Rule ID:security-antipatterns

Examples#

BadSQL injection, eval, CORS wildcard
// SQL injection via template literal
const query = `SELECT * FROM users WHERE id = '${userId}'`;
await db.query(query);

// eval() — arbitrary code execution
const result = eval(userInput);

// CORS wildcard
app.use(cors({ origin: '*' }));

// Sensitive data in localStorage
localStorage.setItem('authToken', token);
localStorage.setItem('creditCard', cardNumber);

// innerHTML with dynamic content
element.innerHTML = userProvidedHTML;
GoodParameterized queries, restricted CORS, httpOnly cookies
// Parameterized query — safe from injection
const query = 'SELECT * FROM users WHERE id = $1';
await db.query(query, [userId]);

// No eval — use JSON.parse for data
const result = JSON.parse(userInput);

// Restricted CORS
app.use(cors({
  origin: ['https://myapp.com', 'https://staging.myapp.com'],
}));

// httpOnly cookies for tokens
res.cookie('token', jwt, { httpOnly: true, secure: true, sameSite: 'strict' });

// textContent or DOMPurify for user content
element.textContent = userProvidedText;

What It Detects#

criticalSQL injection via template literals or string concatenation
Potential SQL injection: variable interpolation in SQL query

Fix: Use parameterized queries or prepared statements.

criticaleval(), new Function(), setTimeout/setInterval with string
{name} executes arbitrary code and is a security risk

Fix: Avoid eval(). Use safer alternatives like JSON.parse().

highCORS wildcard (origin: "*")
CORS wildcard (*) allows any origin to access your API

Fix: Restrict CORS to specific trusted origins.

highSensitive data in localStorage
Sensitive data stored in localStorage (vulnerable to XSS)

Fix: Use httpOnly cookies for sensitive tokens.

highinnerHTML/dangerouslySetInnerHTML with dynamic content
innerHTML with dynamic content is vulnerable to XSS

Fix: Use textContent or sanitize with DOMPurify.

highMath.random() in security context
Math.random() is not cryptographically secure

Fix: Use crypto.randomUUID() or crypto.getRandomValues().

Configuration#

This rule is enabled by default. To disable it:

.vibertestrc.jsonjson
{
  "rules": {
    "security-antipatterns": {
      "enabled": false
    }
  }
}
#018 Abandoned TODO/FIXME#020 Missing Compliance