बीटा Shoulder बीटा में है — परिणाम कभी-कभी गलत हो सकते हैं। आपकी प्रतिक्रिया तय करती है कि हम आगे क्या ठीक करें। प्रतिक्रिया साझा करें
Shoulder.dev

डेवलपर सुरक्षा प्लेटफ़ॉर्म
🔒

Missing Authentication for Critical Function

🛡️ 6 नियम इसे पहचानते हैं

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

व्यापकता
उच्च
बार-बार शोषित
प्रभाव
उच्च
6 उच्च गंभीरता वाले नियम
रोकथाम
प्रलेखित
6 फिक्स उदाहरण
2 रोकथाम
2 रोकथाम

इस भेद्यता को कैसे ठीक करें

🐍 Python सब देखें Python विवरण →
Django View Missing Authentication HIGH

Add @login_required or @permission_required decorator to all protected views

+7 -5 python 
- from django.http import JsonResponse
- from .models import Document
- 
- def delete_document(request, doc_id):
-     doc = Document.objects.get(id=doc_id)
+ from django.contrib.auth.decorators import login_required
+ from django.http import JsonResponse
+ from .models import Document
+ 
+ @login_required
+ def delete_document(request, doc_id):
+     doc = Document.objects.get(id=doc_id, owner=request.user)
      doc.delete()
      return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication HIGH

Add authentication using FastAPI Depends() dependency injection

+10 -6 python 
- from fastapi import FastAPI
- 
- app = FastAPI()
- 
- @app.delete("/users/{user_id}")
- async def delete_user(user_id: int):
+ from fastapi import FastAPI, Depends
+ from myapp.auth import get_current_user
+ 
+ app = FastAPI()
+ 
+ @app.delete("/users/{user_id}")
+ async def delete_user(
+     user_id: int,
+     current_user: User = Depends(get_current_user)
+ ):
      await User.filter(id=user_id).delete()
      return {"deleted": user_id}
🐹 Go सब देखें Go विवरण →
Echo Missing JWT Middleware HIGH

Add Echo JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+     echojwt "github.com/labstack/echo-jwt/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     api := e.Group("/api")
+     api.Use(echojwt.WithConfig(echojwt.Config{
+         SigningKey: []byte(os.Getenv("JWT_SECRET")),
+     }))
+     api.POST("/transfer", transferHandler)
      e.Start(":8080")
  }
Fiber Missing JWT Middleware HIGH

Add Fiber JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
-     app.Post("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gofiber/fiber/v2"
+     jwtware "github.com/gofiber/contrib/jwt"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     api := app.Group("/api")
+     api.Use(jwtware.New(jwtware.Config{
+         SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
+     }))
+     api.Post("/transfer", transferHandler)
      app.Listen(":3000")
  }
Gin Missing JWT Middleware HIGH

Add JWT authentication middleware to protect API endpoints

+15 -5 go 
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     r := gin.Default()
-     r.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+     jwt "github.com/appleboy/gin-jwt/v2"
+ )
+ 
+ func main() {
+     r := gin.Default()
+     auth, _ := jwt.New(&jwt.GinJWTMiddleware{
+         Realm: "api",
+         Key:   []byte(os.Getenv("JWT_SECRET")),
+     })
+     api := r.Group("/api")
+     api.Use(auth.MiddlewareFunc())
+     api.POST("/transfer", transferHandler)
      r.Run(":8080")
  }
🟨 JavaScript सब देखें JavaScript विवरण →
NestJS Endpoint Missing Authentication Guard HIGH

Add @UseGuards decorator with authentication guard at controller or method level

+5 -3 javascript 
- import { Controller, Get, Post, Body, Param } from '@nestjs/common';
- 
- @Controller('users')
+ import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common';
+ import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+ 
+ @Controller('users')
+ @UseGuards(JwtAuthGuard)
  export class UsersController {
    @Get(':id')
    findOne(@Param('id') id: string) {
      return this.usersService.findOne(id);
    }
  
    @Post()
    create(@Body() dto: CreateUserDto) {
      return this.usersService.create(dto);
    }
  }
3 पहचान
3 पहचान

अपने कोड में भेद्यताएँ खोजें

Missing Authentication for Critical Function पैटर्न के लिए अपने कोडबेस को स्कैन करने के लिए Shoulder का उपयोग करें। 6 नियम.

टर्मिनल
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=306

# Or scan entire project
npx @shoulderdev/cli trust .

पहचान नियम (6)

4 चेतावनी संकेत
4 चेतावनी संकेत

कोड समीक्षा में किन बातों पर ध्यान दें

ये पैटर्न संभावित Missing Authentication for Critical Function भेद्यताओं का संकेत देते हैं। कोड समीक्षा और सुरक्षा ऑडिट के दौरान इन्हें देखें।

🟠
View handles sensitive operations without authentication decorator django-missing-authentication
🟠
Django views that should require authentication but lack @login_required, @permission_required, or o django-missing-authentication
🟠
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth fastapi-missing-authentication
🟠
FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency fastapi-missing-authentication
🟠
Gin application missing JWT authentication middleware go-gin-missing-jwt
🟠
NestJS endpoint has no @UseGuards() decorator for authentication nestjs-missing-auth-guard
🔍

अपने कोडबेस को इसके लिए स्कैन करें: Missing Authentication for Critical Function

Shoulder CLI आपके पूरे कोडबेस में भेद्य पैटर्न खोजता है।

npx shoulder trust सभी नियम देखें