BETA Shoulder está en beta — Los hallazgos a veces pueden ser incorrectos. Tu feedback da forma a lo que arreglamos a continuación. Compartir comentarios
Shoulder.dev

Inteligencia de Amenazas para Desarrolladores
🔒

Missing Authentication for Critical Function

🛡️ 6 reglas detectan esto

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

Prevalencia
Alta
Frecuentemente explotada
Impacto
Alto
6 reglas de severidad alta
Prevención
Documentada
6 ejemplos de corrección
2 Prevención
2 Prevención

Cómo corregir esta vulnerabilidad

🐍 Python Ver todo Python detalles →
Django View Missing Authentication HIGH

Add @login_required or @permission_required decorator to all protected views

+7 -5 python 
- from django.http import JsonResponse
- from .models import Document
- 
- def delete_document(request, doc_id):
-     doc = Document.objects.get(id=doc_id)
+ from django.contrib.auth.decorators import login_required
+ from django.http import JsonResponse
+ from .models import Document
+ 
+ @login_required
+ def delete_document(request, doc_id):
+     doc = Document.objects.get(id=doc_id, owner=request.user)
      doc.delete()
      return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication HIGH

Add authentication using FastAPI Depends() dependency injection

+10 -6 python 
- from fastapi import FastAPI
- 
- app = FastAPI()
- 
- @app.delete("/users/{user_id}")
- async def delete_user(user_id: int):
+ from fastapi import FastAPI, Depends
+ from myapp.auth import get_current_user
+ 
+ app = FastAPI()
+ 
+ @app.delete("/users/{user_id}")
+ async def delete_user(
+     user_id: int,
+     current_user: User = Depends(get_current_user)
+ ):
      await User.filter(id=user_id).delete()
      return {"deleted": user_id}
🐹 Go Ver todo Go detalles →
Echo Missing JWT Middleware HIGH

Add Echo JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+     echojwt "github.com/labstack/echo-jwt/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     api := e.Group("/api")
+     api.Use(echojwt.WithConfig(echojwt.Config{
+         SigningKey: []byte(os.Getenv("JWT_SECRET")),
+     }))
+     api.POST("/transfer", transferHandler)
      e.Start(":8080")
  }
Fiber Missing JWT Middleware HIGH

Add Fiber JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
-     app.Post("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gofiber/fiber/v2"
+     jwtware "github.com/gofiber/contrib/jwt"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     api := app.Group("/api")
+     api.Use(jwtware.New(jwtware.Config{
+         SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
+     }))
+     api.Post("/transfer", transferHandler)
      app.Listen(":3000")
  }
Gin Missing JWT Middleware HIGH

Add JWT authentication middleware to protect API endpoints

+15 -5 go 
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     r := gin.Default()
-     r.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+     jwt "github.com/appleboy/gin-jwt/v2"
+ )
+ 
+ func main() {
+     r := gin.Default()
+     auth, _ := jwt.New(&jwt.GinJWTMiddleware{
+         Realm: "api",
+         Key:   []byte(os.Getenv("JWT_SECRET")),
+     })
+     api := r.Group("/api")
+     api.Use(auth.MiddlewareFunc())
+     api.POST("/transfer", transferHandler)
      r.Run(":8080")
  }
🟨 JavaScript Ver todo JavaScript detalles →
NestJS Endpoint Missing Authentication Guard HIGH

Add @UseGuards decorator with authentication guard at controller or method level

+5 -3 javascript 
- import { Controller, Get, Post, Body, Param } from '@nestjs/common';
- 
- @Controller('users')
+ import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common';
+ import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+ 
+ @Controller('users')
+ @UseGuards(JwtAuthGuard)
  export class UsersController {
    @Get(':id')
    findOne(@Param('id') id: string) {
      return this.usersService.findOne(id);
    }
  
    @Post()
    create(@Body() dto: CreateUserDto) {
      return this.usersService.create(dto);
    }
  }
4 Señales de Alerta
4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Missing Authentication for Critical Function. Búscalos durante las revisiones de código y auditorías de seguridad.

🟠
View handles sensitive operations without authentication decorator django-missing-authentication
🟠
Django views that should require authentication but lack @login_required, @permission_required, or o django-missing-authentication
🟠
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth fastapi-missing-authentication
🟠
FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency fastapi-missing-authentication
🟠
Gin application missing JWT authentication middleware go-gin-missing-jwt
🟠
NestJS endpoint has no @UseGuards() decorator for authentication nestjs-missing-auth-guard
🔍

Escanea tu base de código para Missing Authentication for Critical Function

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas