Security

The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 – Cryptographic Failures

Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user’s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection

Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures

Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP:
- A03:2021 - Injection

Detected a user-controlled filename that could flow to flask.send_file() function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use flask.send_from_directory
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A04:2021 - Insecure Design

Method $METHOD in API controller$CLASS provides user arg $ARG to requests method$REQMETHOD
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-134: Use of Externally-Controlled Format String

Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection

Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using ‘url_for()’ to generate links to known locations. If you must use a URL to unknown pages, consider using ‘urlparse()’ or similar and checking if the ‘netloc’ property is the same as your site’s host name. See the references for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control