CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • GitHub Enterprise
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
      • Airflow
      • Attr
      • Aws-lambda
      • Bokeh
      • Boto3
      • Cassandra
      • Click
      • Correctness
      • Couchbase
      • Cryptography
      • Distributed
      • Django
      • Docker
      • Elasticsearch
      • Fastapi
      • Flask
        • Ai
        • Best practice
        • Caching
        • Code
        • Correctness
        • Db
        • Debug
        • Deserialization
        • File
        • Flask-hardcoded-database-password-uri
        • Log
        • Maintainability
        • Net
        • Os
        • Regex
        • Security
        • Security
          • Audit
          • Audit
          • Injection
          • Xss
        • Web
        • Xml
      • Jinja2
      • Jwt
      • Lang
      • Ldap3
      • Mariadb
      • Mysql
      • Mysqlclient
      • Neo4j
      • Openai
      • Peewee
      • Pg8000
      • Psycopg2
      • Pycryptodome
      • Pyjwt
      • Pymongo
      • Pymssql
      • Pymysql
      • Pyramid
      • Redis
      • Requests
      • Sh
      • Sqlalchemy
      • Tormysql
      • Urllib3
      • Webrepl
      • Wtforms
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Security

Audit

debug-enabled

Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting ‘debug’ using system environment variables.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-489: Active Debug Code
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-

- -
-

- S
- e
- c
- u
- r
- i
- t
- y
-

- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n

secure-set-cookie

Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(…). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the secure=True, httponly=True, samesite='Lax' arguments or set these to be true in the Flask configuration.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP:
- A05:2021 - Security Misconfiguration

directly-returned-format-string

Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with ‘render_template()’.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection

avoid_hardcoded_config_TESTING

Hardcoded variable TESTING detected. Use environment variables or config files instead
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration

avoid_hardcoded_config_SECRET_KEY

Hardcoded variable SECRET_KEY detected. Use environment variables or config files instead
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration

avoid_hardcoded_config_ENV

Hardcoded variable ENV detected. Set this by using FLASK_ENV environment variable
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration

avoid_hardcoded_config_DEBUG

Hardcoded variable DEBUG detected. Set this by using FLASK_DEBUG environment variable
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration

avoid_app_run_with_bad_host

Running flask app with host 0.0.0.0 could expose the server publicly.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-668: Exposure of Resource to Wrong Sphere
OWASP:
- A01:2021 - Broken Access Control

flask-wtf-csrf-disabled

Setting ‘WTF_CSRF_ENABLED’ to ‘False’ explicitly disables CSRF protection.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control

render-template-string

Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP:
- A03:2021 - Injection

avoid_using_app_run_directly

top-level app.run(…) is ignored by flask. Consider putting app.run(…) behind a guard, like inside a function
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-668: Exposure of Resource to Wrong Sphere
OWASP:
- A01:2021 - Broken Access Control

host-header-injection-python

The flask.request.host is used to construct an HTTP request. This can lead to host header injection issues. Vulnerabilities that generally occur due to this issue are authentication bypasses, password reset issues, Server-Side-Request-Forgery (SSRF), and many more. It is recommended to validate the URL before passing it to a request library, or using application logic such as authentication or password resets.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-20: Improper Input Validation
SecurityXss
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.