You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some tools carry taxonomy that fires threat mappings but have no [[security.sinks]], so brief threat-model says "this is dangerous" while brief sinks says nothing to grep for.
node/adonisjs.toml — carries function:data-mapping, function:templating, function:authentication, layer:backend. Bundles Lucid ORM (Database.rawQuery, query().whereRaw), Edge templates ({{{ }}} triple-stash, @!section raw), and auth (auth.use().login). Same shape as Django/Laravel which both got sinks in Seed sinks for web frameworks and ORMs #27.
node/astro.toml — function:templating, does SSR. set:html directive bypasses escaping, Astro.redirect.
node/solidjs.toml — function:templating. innerHTML prop, Dynamic component with caller-controlled tag.
node/ember.toml — function:templating. {{{triple-stash}}} in Handlebars templates, htmlSafe.
node/eleventy.toml — function:templating. SSG so build-time only, but supports multiple template engines whose unescaped forms apply.
node/gatsby.toml — function:templating. dangerouslySetInnerHTML (it's React underneath), GraphQL query injection if queries built from URL params.
The SSGs (Eleventy, Gatsby) are lower priority since they're build-time and the attacker would need to control source files. Astro and Qwik do server rendering so they're closer to the backend frameworks.
go/chi.toml also carries layer:backend + role:library but it's a bare router with no response helpers — sinks come from net/http which is already on go/language.toml. Probably correct to leave it empty.
Some tools carry taxonomy that fires threat mappings but have no
[[security.sinks]], sobrief threat-modelsays "this is dangerous" whilebrief sinkssays nothing to grep for.node/adonisjs.toml— carriesfunction:data-mapping,function:templating,function:authentication,layer:backend. Bundles Lucid ORM (Database.rawQuery,query().whereRaw), Edge templates ({{{ }}}triple-stash,@!sectionraw), and auth (auth.use().login). Same shape as Django/Laravel which both got sinks in Seed sinks for web frameworks and ORMs #27.node/astro.toml—function:templating, does SSR.set:htmldirective bypasses escaping,Astro.redirect.node/qwik.toml—function:templating.dangerouslySetInnerHTMLequivalent.node/solidjs.toml—function:templating.innerHTMLprop,Dynamiccomponent with caller-controlled tag.node/ember.toml—function:templating.{{{triple-stash}}}in Handlebars templates,htmlSafe.node/eleventy.toml—function:templating. SSG so build-time only, but supports multiple template engines whose unescaped forms apply.node/gatsby.toml—function:templating.dangerouslySetInnerHTML(it's React underneath), GraphQL query injection if queries built from URL params.The SSGs (Eleventy, Gatsby) are lower priority since they're build-time and the attacker would need to control source files. Astro and Qwik do server rendering so they're closer to the backend frameworks.
go/chi.tomlalso carrieslayer:backend+role:librarybut it's a bare router with no response helpers — sinks come fromnet/httpwhich is already ongo/language.toml. Probably correct to leave it empty.