BÊTA Shoulder est en bêta — Les résultats peuvent parfois être incorrects. Vos retours façonnent ce que nous corrigeons ensuite. Donner mon avis
Shoulder.dev

Renseignement sur les Menaces pour Développeurs
🔒

Missing Authentication for Critical Function

🛡️ 6 règles détectent ceci

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

Prévalence
Élevée
Fréquemment exploitée
Impact
Élevé
6 règles de sévérité élevée
Prévention
Documentée
6 exemples de correctifs
2 Prévention
2 Prévention

Comment corriger cette vulnérabilité

🐍 Python Tout voir Python détails →
Django View Missing Authentication HIGH

Add @login_required or @permission_required decorator to all protected views

+7 -5 python 
- from django.http import JsonResponse
- from .models import Document
- 
- def delete_document(request, doc_id):
-     doc = Document.objects.get(id=doc_id)
+ from django.contrib.auth.decorators import login_required
+ from django.http import JsonResponse
+ from .models import Document
+ 
+ @login_required
+ def delete_document(request, doc_id):
+     doc = Document.objects.get(id=doc_id, owner=request.user)
      doc.delete()
      return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication HIGH

Add authentication using FastAPI Depends() dependency injection

+10 -6 python 
- from fastapi import FastAPI
- 
- app = FastAPI()
- 
- @app.delete("/users/{user_id}")
- async def delete_user(user_id: int):
+ from fastapi import FastAPI, Depends
+ from myapp.auth import get_current_user
+ 
+ app = FastAPI()
+ 
+ @app.delete("/users/{user_id}")
+ async def delete_user(
+     user_id: int,
+     current_user: User = Depends(get_current_user)
+ ):
      await User.filter(id=user_id).delete()
      return {"deleted": user_id}
🐹 Go Tout voir Go détails →
Echo Missing JWT Middleware HIGH

Add Echo JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+     echojwt "github.com/labstack/echo-jwt/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     api := e.Group("/api")
+     api.Use(echojwt.WithConfig(echojwt.Config{
+         SigningKey: []byte(os.Getenv("JWT_SECRET")),
+     }))
+     api.POST("/transfer", transferHandler)
      e.Start(":8080")
  }
Fiber Missing JWT Middleware HIGH

Add Fiber JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
-     app.Post("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gofiber/fiber/v2"
+     jwtware "github.com/gofiber/contrib/jwt"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     api := app.Group("/api")
+     api.Use(jwtware.New(jwtware.Config{
+         SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
+     }))
+     api.Post("/transfer", transferHandler)
      app.Listen(":3000")
  }
Gin Missing JWT Middleware HIGH

Add JWT authentication middleware to protect API endpoints

+15 -5 go 
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     r := gin.Default()
-     r.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+     jwt "github.com/appleboy/gin-jwt/v2"
+ )
+ 
+ func main() {
+     r := gin.Default()
+     auth, _ := jwt.New(&jwt.GinJWTMiddleware{
+         Realm: "api",
+         Key:   []byte(os.Getenv("JWT_SECRET")),
+     })
+     api := r.Group("/api")
+     api.Use(auth.MiddlewareFunc())
+     api.POST("/transfer", transferHandler)
      r.Run(":8080")
  }
🟨 JavaScript Tout voir JavaScript détails →
NestJS Endpoint Missing Authentication Guard HIGH

Add @UseGuards decorator with authentication guard at controller or method level

+5 -3 javascript 
- import { Controller, Get, Post, Body, Param } from '@nestjs/common';
- 
- @Controller('users')
+ import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common';
+ import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+ 
+ @Controller('users')
+ @UseGuards(JwtAuthGuard)
  export class UsersController {
    @Get(':id')
    findOne(@Param('id') id: string) {
      return this.usersService.findOne(id);
    }
  
    @Post()
    create(@Body() dto: CreateUserDto) {
      return this.usersService.create(dto);
    }
  }
4 Signes d'Alerte
4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Missing Authentication for Critical Function. Recherchez-les lors des revues de code et des audits de sécurité.

🟠
View handles sensitive operations without authentication decorator django-missing-authentication
🟠
Django views that should require authentication but lack @login_required, @permission_required, or o django-missing-authentication
🟠
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth fastapi-missing-authentication
🟠
FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency fastapi-missing-authentication
🟠
Gin application missing JWT authentication middleware go-gin-missing-jwt
🟠
NestJS endpoint has no @UseGuards() decorator for authentication nestjs-missing-auth-guard
🔍

Scannez votre base de code pour Missing Authentication for Critical Function

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles