AWS CloudFormation Linter

Found `self` identifier where `Self` was expectedRS-E1001 Found invalid regexRS-E1002 Found empty range expressionRS-E1005 Found explicit self-assignmentRS-W1013 Called `unwrap` on `option_env!` macroRS-W1016 Found builtin-type shadowRS-W1028 Found possibly mistyped suffixRS-E1009 Found similar pattern and replacement in `str::replace`RS-W1094 Found potentially incorrect use of `map`RS-W1089 Unnecessary iteration to determine length of collectionRS-W1093 Possibly missing comma in array expressionRS-W1121 Found non UTF-8 literal in `str::from_utf8_unchecked`RS-W1122 Found use of deprecated functionRS-W1128 Found assertion on boolean constantRS-W1021 Unneeded wildcard patternRS-C1004 Usage of `print!` macro with newlineRS-C1005 Found unneeded field patternRS-C1010 This match statement can be collapsed into an if-let statementRS-W1006 This match statement can be collapsed into an if-else statementRS-W1007 Found if block with identical else blockRS-W1008 Found consecutive if expressions with the same conditionRS-W1009 Found useless if blockRS-W1010 Found `map` with identity functionRS-W1018 Found unnecessary `fold`RS-W1022 Usage of `fs::create_dir`RS-W1032 Extending string with another using `chars`RS-W1095 Found incorrect usage of `#[inline]` attributeRS-E1006 Found occurrence of `.bytes().count()`RS-P1001 Found occurrence of `.skip(..).next()`RS-W1036 Array-expression or type initialized with zero lengthRS-W1096 Found usage of `split` to check for presence of patternRS-W1097 Found redundant unsafe operation: `libc::strlen`RS-W1098 Found manual implementation of a `char::is_ascii_*` methodRS-W1099 Found obfuscated if-else expressionRS-W1120 Syntax ErrorRS-E1000 File or directory created with insecure permissionsRS-A1001 Audit required: Sensitive cookie without `HttpOnly` attributeRS-A1003 Audit required: Sensitive cookie without `secure` attributeRS-A1002 Found occurrence of `.step_by(0)`RS-E1003 Iterating over `Option` typeRS-E1004 Found erasing operationRS-E1007 Detected non-octal Unix permissionsRS-E1013 Found non-binding `let` on a synchronization lockRS-E1014 Attempting to hash a unit valueRS-E1017 Setting global write permission on fileRS-S1016 Attempting to `transmute` a `ptr` to a `ref`RS-E1018 Attempting to `transmute` a `ref` to a `ptr`RS-E1019 Attempting to `transmute` a `ptr` to a `ptr` when `ref` transmute is saferRS-E1020 Audit required: Found vulnerable content security policy header in HTTP responseRS-A1011 Found `.clone()` call on a double referenceRS-W1100 Manual implementation of `Error::type_id`RS-S1001 Found string literal in `env` functionsRS-W1015 Detected conversion between differently sized raw slicesRS-S1013 Insufficient RSA key sizeRS-S1005 Missing regex anchorRS-S1008 Hardcoded temporary file or directory detectedRS-S1003 Found usage of cryptographically insecure algorithmRS-S1004 Found comparison with `NaN`RS-E1012 Found potentially incorrect use of bitwise XORRS-S1007 Potentially unsafe usage of `std::fs::remove_dir_all`RS-S1002 Detected conversion of `*const` to `*mut`RS-S1011 Detected conversion of raw slice to `ptr`RS-S1012 Called `mem::forget` or `mem::drop` on a referenceRS-E1010 Called `mem::forget` or `mem::drop` on a Copy typeRS-E1011 Audit required: Use of `VecDeque::make_contiguous`RS-A1005 Audit required: Exposure of sensitive headersRS-A1004 Audit required: Use of `Vec::from_iter`RS-A1006 Detected invisible unicode characterRS-S1010 Comparing unit valuesRS-E1016 Found potentially incomplete ASCII rangeRS-W1086 Found manual approximation of known floating constantRS-W1207 Found binary operation with identical left and right hand sidesRS-E1008 Passing unit value as argument to functionRS-E1015 Found single-character string literal patternRS-P1100 Bind to all interfacesRS-S1006 Unused `.enumerate()` or `.zip(..)` itemsRS-W1039 Found usage of `crate` in macro definitionRS-W1084 Found inaccurate duration calculationRS-W1087 Needless iteration over collection that allows indexingRS-W1091 Using ordered iteration methods on arbitrarily ordered iteratorRS-W1081 Found redundant use of `mem::replace`RS-W1113 Redirect to destination from possibly tainted sourceRS-S1009 Usage of DoS vulnerable version of `regex` crateRS-S1015 Comparing function pointer to `null`RS-W1115 Found redundant use of `mem::replace`RS-W1112 Found redundant use of `mem::replace`RS-W1114 Called `mem::forget` or `mem::drop` on a non-Drop typeRS-E1021 Found I/O operation with unhandled return valueRS-E1023 Potential path traversal vulnerability due to `actix::NamedFile::open(..)`RS-S1014 Found isize/usize enumeration with overflowing valueRS-W1075 Insertion of pointer to non-owned reference counted value into vectorRS-W1106 Audit required: Found `X-XSS-Protection` header in HTTP responseRS-A1010 Cast from function pointer to non-pointer typeRS-W1124 Found transmute between a type `T` and `*T` or `&T`RS-E1024 Audit required: Function call in `default()` that returns `Self`RS-A1008 Found explicitly ignored future valueRS-E1035 Audit required: Calling `extend()` on `HashMap`RS-A1009 Audit required: Use of large `enum` variantRS-A1007 Found transmute between an integer and a `bool`RS-E1025 Found transmute between an integer and `NonZero` typeRS-E1026 Found transmute between integer literal and `fn` ptrRS-E1027 Found transmute between a literal and a `*T` ptrRS-E1028 Transmute from `float` or `char` to reference or pointerRS-E1029 Transmute from integer type to `char`RS-E1030 Found transmute between a numeric type and array or sliceRS-E1031 Found transmute between tuple and array or sliceRS-E1032 Found `print!` in implementation of `Display`RS-E1034 Using `std::mem::size_of_val()` on reference of type rather than type itselfRS-W1123 Function with cyclomatic complexity higher than thresholdRS-R1000 Found duplicate underscore argumentsRS-W1014 Found error-prone cast to `u8`RS-W1080 Comparing with `""` or `[]` when `.is_empty()` could be usedRS-W1102 Found redundant wildcard patternsRS-W1213 Found occurrence of `.filter(..).next()`RS-W1023 Unnecessary parenthesesRS-C1001 Unnecessary braces in `use` statementRS-C1002 Found redundant patternRS-W1000 Found unnecessary boolean comparisonRS-W1001 Potentially unsafe usage of `Arc::get_mut`RS-S1000 Use of `FIXME`/`XXX`/`TODO`RS-D1000 Unnecessary double parenthesesRS-C1000 Found enum variants with similar prefixes or suffixesRS-C1003 Empty format string in macro callRS-C1006 Found hexadecimal literal with mixed-case letter digitsRS-C1007 Found block expression in `if` conditionRS-C1008 Matching over booleanRS-C1011 Found zero-prefixed literalRS-C1012 Found `dbg!` macroRS-C1013 Found `#[must_use]` on a unit-returning functionRS-W1011 Found empty loop expressionRS-P1000 Found double unary negationRS-W1002 Found exclusive range where 1 is added to the upper boundRS-W1003 Found inclusive range where 1 is subtracted from the upper boundRS-W1004 Found trivial or undefined modulus operationRS-W1005 Zipping iterator with a range when `enumerate()` would doRS-W1012 Found no-op macro callRS-W1017 Found `filter_map` with identity functionRS-W1019 Found `flat_map` with identity functionRS-W1020 Found boolean assert comparisonRS-W1024 Dereference of an address is a no-opRS-W1025 Found redundant field name in initializerRS-W1026 Found trivial regexRS-W1027 Found redundant pattern matchingRS-W1029 Usage of `expect` followed by a function callRS-W1030 Usage of `unwrap_or` followed by a function callRS-W1031 Found iterator or string search followed by `is_some` or `is_none`RS-W1033 Found occurrence of `Arc<RwLock<HashMap<K, V>>>`RS-P1003 Found manual implementation of `Seek::rewind`RS-W1046 Found occurrence of `Rc::new("..")`RS-W1062 Found usage of `FileType::is_file`RS-A1000 Found manual implementation of `find_map`RS-W1210 Found `todo!` macroRS-W1065 Found unnecessary chain of `map` and `unwrap_or`RS-W1072 Found occurrence of `.bytes().nth(..)`RS-P1002 Adding single-character string literalRS-P1004 Found call to `.trim()` followed by `.split_whitespace()`RS-P1005 Unnecessary `collect()` on iterable to `Vec`RS-P1006 Found collapsible `.replace(..)` method callsRS-P1007 Found redundant static lifetimeRS-W1034 Found occurrence of `.inspect(..).for_each(..)`RS-W1035 Found wildcard in an or-patternRS-W1037 Found usage of `.is_digit(..)` with known radixRS-W1038 Found occurrence of `.skip_while(..).next()`RS-W1040 Found character comparison using `.chars().last()`RS-W1041 Found character comparison using `.chars().next()`RS-W1042 Found occurrence of `.to_digit(..).is_some()`RS-W1043 Found redundant conversion from `Result::Ok` to `Option`RS-W1044 Found manual implementation of `Instant::elapsed`RS-W1045 Found potentially ambiguous use of `.splitn(..)`RS-W1047 Found occurrence of `.chars().filter(..)`RS-W1049 Found occurrence of `&Box<T>` or `&mut Box<T>`RS-W1050 Found occurrence of `Default::default()`RS-W1051 Found use of `as` to convert literalsRS-W1052 Found occurrence of `.nth(0)`RS-W1053 Found suspicious loop over a fallibleRS-W1054 Found manual implementation of `Result::is_ok`RS-W1055 Found occurrence of `Arc<RefCell>` or `Arc<Cell<T>>`RS-W1056 Found occurrence of `Arc<Box<T>>`RS-W1057 Found occurrence of `Box::new("..")`RS-W1058 Found occurrence of `Box<&str>`RS-W1059 Found occurrence of `Box<String>`RS-W1060 Found occurrence of `Box<Vec<T>>`RS-W1061 Found occurrence of `Rc<&str>`RS-W1063 Found occurrence of `Rc<String>`RS-W1064 Found manual implementation of `.split_once(..)`RS-W1066 Found possibly misused `.splitn(..)`RS-W1067 Found redundant conversion from `Result::Err` to `Option`RS-W1071 Found `fold` over `Option`RS-W1085 Found manual implementation of `slice::last`RS-W1088 Found unnecessary `.ok()` in pattern matchRS-W1090 Manual implementation of `unwrap_or`RS-W1092 Found `unwrap_or_else(..)` where `unwrap_or_default()` would sufficeRS-W1104 Found occurrence of `vec.resize(0, ..)`RS-W1107 Construction of Iterator from single-element collectionRS-W1200 Invoking `.map_or()` with identity closureRS-W1201 Found unnecessary closureRS-W1202 Using `.join(..)` with empty stringRS-W1203 Redundant `map(..).filter_map(..)` chainRS-W1204 Manual implementation of `try_from_each`RS-W1205 Found explicit closure for cloning elementsRS-W1206 Found usage of `.repeat(1)`RS-W1208 Found redundant `if-else`RS-W1209 Redundant `and_then` over `map`RS-W1211 Found redundant call to `.count_ones()`RS-W1212 Found manual implementation of `cycle`RS-W1215 Found `bool::then` returning a literalRS-W1216 Found potentially buggy split of string into linesRS-W1217 Found redundant `take_while` with `map` callRS-W1214 Found manual implementation of `Seek::stream_position`RS-W1082 Found needless `Option::take`RS-W1083 Found use of `.clone()` in assignmentRS-W1070 Found usage of `Box::new(T::default())`RS-P1008 Consider using `.clamp(min, max)`, instead of `.max(min).min(max)` or `.min(max).max(min)`RS-W1069 Found comparison with `None`RS-W1108 Found manual implementation of `stream_position(..)`RS-W1109 Found implementation of `default()` outside `Default` traitRS-E1022 Found manual implementation of `std::ptr::null()`RS-W1078 Found useless lint attributeRS-W1074 Found pointer comparison with `ptr::null()`RS-C1014 Found nested `format!` macro in a formatting macroRS-W1068 Found const declaration of atomic typeRS-W1076 Found `while` with constant conditionRS-W1077 Empty call to `new()`RS-W1079 Found `ref` keyword with `&` referenceRS-W1105 Found call to `clone()` on type that implements CopyRS-W1110 Found trivial implementation of `default()`RS-W1111 Found redundant let-bindingRS-W1218 Found redundant `match` over `std::cmp::Ordering`RS-W1219 Found redundant `lock()` on `std::io::stdin()`RS-W1220 Found empty tuple struct or tuple variantRS-W1125 Found usage of `then_some(..).unwrap_or(..)`RS-C1015 Undocumented public item in source codeRS-D1001 Unnecessary `OnceCell` wrapper around `Mutex`RS-W1135 Found manual implementation of `retain()`RS-P1009 Found manual implementation of `T::BITS`RS-W1132 Found manual implementation of `vec.first()`RS-W1116 Found `print!` in implementation of `Debug`RS-W1133 Found redundant transmute between the type `T` and `T`RS-W1117 Found redundant type annotationRS-C1016 Found use of `std::ffi::c_void` ptr in `from_raw`RS-W1118 Found manual implementation of `std::ptr::eq` on referencesRS-W1119 Found transmute from floating point type to integer typeRS-W1126 Found transmute from integer type to floating point typeRS-W1127 Found explicitly ignored unit valueRS-W1129 Found unnecessary destructure in assignmentRS-W1130 Found cast of `abs()` to unsigned integer typeRS-W1131 Found manual implementation of `eq()` on `OsString`RS-W1134

RS-A1011

Audit required: Found vulnerable content security policy header in HTTP responseRS-A1011

Critical

Security

owasp-top-10, a7

The CONTENT_SECURITY_POLICY header is used to restrict the sources from which a web page can load certain types of content. Setting the header to accept any source by using default-src '*' or script-src '*' creates major vulnerabilities in the application, as it allows the execution of scripts from any source, including malicious ones. This issue can lead to cross-site scripting (XSS) attacks, which could result in sensitive user data being stolen or manipulated.

To fix this issue, it is recommended to use a more restrictive policy, limiting the sources from which scripts can be loaded. For example, use default-src 'self' to only allow scripts to be loaded from the same origin, or script-src 'self' to only allow scripts from the same origin to be executed. Additionally, it is recommended to remove the wildcard character (*) from the policy, as it provides too much leeway for attackers to exploit the system.

Bad practice

use actix_web::{HttpResponse, HttpResponseBuilder};

fn handle_request() -> HttpResponseBuilder {
    HttpResponse::ok().append_header((CONTENT_SECURITY_POLICY, "default-src '*'; script-src '*'"))
}

Recommended

use actix_web::{HttpResponse, HttpResponseBuilder};

fn handle_request() -> HttpResponseBuilder {
    HttpResponse::ok().append_header((CONTENT_SECURITY_POLICY, "default-src 'self'; script-src 'self'"))
}

References