JavaScript has been consistently among the most popular programming languages in the past decade. However, its dynamic, weakly-typed, and asynchronous nature can make it challenging to write maintainable code for developers without in-depth knowledge of the language. Consequently, many JavaScript applications tend to contain code smells that adversely influence program comprehension, maintenance, and debugging. Due to the widespread usage of JavaScript, code security is an important matter. While JavaScript code smells and detection techniques have been studied in the past, current work on security smells for JavaScript is scarce. Security code smells are coding patterns indicative of potential vulnerabilities or security weaknesses. Identifying security code smells can help developers to focus on areas where additional security measures may be needed. We present a set of 24 JavaScript security code smells, map them to a possible security awareness defined by Common Weakness Enumeration (CWE), explain possible refactoring, and explain our detection mechanism. We implement our security code smell detection on top of an existing open source tool that was proposed to detect general code smells in JavaScript.

翻译：JavaScript在过去十年中始终是最受欢迎的编程语言之一。然而，其动态、弱类型和异步的特性使得缺乏该语言深入知识的开发者难以编写可维护的代码。因此，许多JavaScript应用程序往往包含对程序理解、维护和调试产生不利影响的代码异味。由于JavaScript的广泛使用，代码安全性成为一个重要议题。尽管以往已有对JavaScript代码异味及其检测技术的研究，但目前针对JavaScript安全异味的研究仍较为匮乏。安全代码异味是指示潜在漏洞或安全弱点的编码模式。识别安全代码异味可帮助开发者重点关注可能需要额外安全措施的代码区域。本文提出了一套包含24种JavaScript安全代码异味的分类体系，将其映射至通用缺陷枚举（CWE）定义的安全风险类别，阐释了可能的代码重构方案，并说明了我们的检测机制。我们在现有开源工具的基础上实现了安全代码异味检测系统，该工具原用于检测JavaScript中的通用代码异味。