Articles

A deep dive into PostgreSQL filesystem exploits. Learn how to engineer static analysis guards to prevent unauthorized database-level file access.

A for-loop with an INSERT inside turned a 100ms bulk write into 50 seconds — 500x slower at 1,000 rows. pg/no-batch-insert-loop (CWE-1049) catches the N+1 pattern in CI, before it ships.

Control a connection's search_path and every unqualified query silently resolves to your schema. The obscure-but-lethal PostgreSQL attack, why SET can't be parameterized, the real fixes, and the CWE-426 ESLint rule that catches it.

Express ships nothing by default — no security headers, no rate limit, no CSRF, no body-size cap — and a route regex can DoS the event loop. 10 CWE-mapped ESLint rules that catch the middleware you forgot, in CI.

A NestJS controller with no @UseGuards is wide open; a handler with no ValidationPipe takes raw input; an entity returned directly leaks the password hash. 6 CWE-mapped ESLint rules that catch the decorators you forgot, in CI.

SSRF to the metadata endpoint, Action:'*' IAM, secrets in env vars, stack traces in responses — AWS Lambda mistakes that pass review and become account takeovers. 14 CWE-mapped ESLint rules that catch them in CI.

JWT-in-localStorage, innerHTML XSS, postMessage('*'), mixed content, permissive CORS — browser-side bugs a backend pentest and a type-checker never see. 45 CWE-mapped ESLint rules that catch them in CI.

alg:none token forgery, RS256↔HS256 confusion, weak/hardcoded secrets, missing exp/iss/aud — the JWT auth mistakes that hand attackers a valid session. 13 CWE-mapped ESLint rules that catch them in CI.

Weak crypto (MD5/SHA-1/ECB), command injection via exec(), Zip Slip path traversal, Math.random() tokens — Node.js built-in footguns that pass tests and ship as CVEs. 34 CWE-mapped ESLint rules that catch them in CI.

A reproducible performance benchmark: eslint-plugin-import vs eslint-plugin-import-next across 1K/5K/10K files. The no-cycle rule goes from 148s to 2.7s at 5,000 files (54.9x measured) — because O(n²) graph traversal became O(n).

Prompt injection, tool over-permissioning, AI output that reaches eval/SQL/innerHTML, secrets in prompts — the Vercel AI SDK puts every one a single property away. 19 ESLint rules that catch them in CI, before deploy.

pool.query('BEGIN') runs on a different pooled client than the UPDATE that follows it — so your 'transaction' isn't atomic and corrupts data under load. The race condition (CWE-362), the dedicated-client fix, and the pg ESLint rule that catches every BEGIN/COMMIT on a pool.