# All (Node.js) Security

Security vulnerabilities and detection rules for all framework. 3 rules across 3 CWE categories.

- Total rules: 3
- CWE categories: 3

## CWEs

- **CWE-117**: Improper Output Neutralization for Logs
- **CWE-640**: Weak Password Recovery Mechanism for Forgotten Password
- **CWE-1024**: Comparison Using Wrong Factors

## Rules

- **Log Injection** [MEDIUM]: Detects user input flowing to logging functions without sanitization.
Allows log forgery via newline injection.
- **Type Coercion Security Bugs** [MEDIUM]: Detects unsafe use of loose equality operators (==, !=) and type coercion patterns
that can lead to security vulnerabilities. JavaScript's type coercion can cause
unexpected behavior in security-critical code.

Common security issues from type coercion:
1. Authentication bypass: password == null matches both null AND undefined
2. Authorization bypass: role == "admin" can be bypassed with role = true
3. Input validation bypass: value == 0 matches "", [], false, "0"
4. SQL/NoSQL injection: params == {} doesn't check for actual object properties

Type coercion rules in JavaScript:
- null == undefined (true)
- 0 == "" == false == [] (all true)
- "0" == 0 (true)
- " \t\n" == 0 (true)
- But: "0" != false (because string vs boolean)

Security implications are severe when used in:
- Authentication/authorization checks
- Input validation
- Null/undefined checks
- Role/permission comparisons
- **Weak Password Reset Token** [HIGH]: Detects predictable random number generation (Math.random) used for password reset tokens.