Security
hashids-with-flask-secret
hashids-with-flask-secret
The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 – Cryptographic Failures
response-contains-unsanitized-input
response-contains-unsanitized-input
Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user’s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
insecure-deserialization
insecure-deserialization
Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
dangerous-template-string
dangerous-template-string
Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP:
- A03:2021 - Injection
avoid_send_file_without_path_sanitization
avoid_send_file_without_path_sanitization
Detected a user-controlled filename
that could flow to flask.send_file()
function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use flask.send_from_directory
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A04:2021 - Insecure Design
flask-api-method-string-format
flask-api-method-string-format
Method CLASS provides user arg REQMETHOD
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-134: Use of Externally-Controlled Format String
unescaped-template-extension
unescaped-template-extension
Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
open-redirect
open-redirect
Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using ‘url_for()’ to generate links to known locations. If you must use a URL to unknown pages, consider using ‘urlparse()’ or similar and checking if the ‘netloc’ property is the same as your site’s host name. See the references for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control