Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.
普及度
高
頻繁に悪用される
影響度
ハイ
6 件の重大度ハイのルール
予防
文書化済み
6 件の修正例
2 予防
2 予防
この脆弱性の修正方法
Python
すべて表示 Python 詳細 →
Django View Missing Authentication
HIGH
Add @login_required or @permission_required decorator to all protected views
- from django.http import JsonResponse - from .models import Document - - def delete_document(request, doc_id): - doc = Document.objects.get(id=doc_id) + from django.contrib.auth.decorators import login_required + from django.http import JsonResponse + from .models import Document + + @login_required + def delete_document(request, doc_id): + doc = Document.objects.get(id=doc_id, owner=request.user) doc.delete() return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication
HIGH
Add authentication using FastAPI Depends() dependency injection
- from fastapi import FastAPI - - app = FastAPI() - - @app.delete("/users/{user_id}") - async def delete_user(user_id: int): + from fastapi import FastAPI, Depends + from myapp.auth import get_current_user + + app = FastAPI() + + @app.delete("/users/{user_id}") + async def delete_user( + user_id: int, + current_user: User = Depends(get_current_user) + ): await User.filter(id=user_id).delete() return {"deleted": user_id}
Echo Missing JWT Middleware
HIGH
Add Echo JWT middleware to protect API endpoints
package main - import "github.com/labstack/echo/v4" - - func main() { - e := echo.New() - e.POST("/api/transfer", transferHandler) + import ( + "os" + "github.com/labstack/echo/v4" + echojwt "github.com/labstack/echo-jwt/v4" + ) + + func main() { + e := echo.New() + api := e.Group("/api") + api.Use(echojwt.WithConfig(echojwt.Config{ + SigningKey: []byte(os.Getenv("JWT_SECRET")), + })) + api.POST("/transfer", transferHandler) e.Start(":8080") }
Fiber Missing JWT Middleware
HIGH
Add Fiber JWT middleware to protect API endpoints
package main - import "github.com/gofiber/fiber/v2" - - func main() { - app := fiber.New() - app.Post("/api/transfer", transferHandler) + import ( + "os" + "github.com/gofiber/fiber/v2" + jwtware "github.com/gofiber/contrib/jwt" + ) + + func main() { + app := fiber.New() + api := app.Group("/api") + api.Use(jwtware.New(jwtware.Config{ + SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))}, + })) + api.Post("/transfer", transferHandler) app.Listen(":3000") }
Gin Missing JWT Middleware
HIGH
Add JWT authentication middleware to protect API endpoints
package main - import "github.com/gin-gonic/gin" - - func main() { - r := gin.Default() - r.POST("/api/transfer", transferHandler) + import ( + "os" + "github.com/gin-gonic/gin" + jwt "github.com/appleboy/gin-jwt/v2" + ) + + func main() { + r := gin.Default() + auth, _ := jwt.New(&jwt.GinJWTMiddleware{ + Realm: "api", + Key: []byte(os.Getenv("JWT_SECRET")), + }) + api := r.Group("/api") + api.Use(auth.MiddlewareFunc()) + api.POST("/transfer", transferHandler) r.Run(":8080") }
JavaScript
すべて表示 JavaScript 詳細 →
NestJS Endpoint Missing Authentication Guard
HIGH
Add @UseGuards decorator with authentication guard at controller or method level
- import { Controller, Get, Post, Body, Param } from '@nestjs/common'; - - @Controller('users') + import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common'; + import { JwtAuthGuard } from '../auth/jwt-auth.guard'; + + @Controller('users') + @UseGuards(JwtAuthGuard) export class UsersController { @Get(':id') findOne(@Param('id') id: string) { return this.usersService.findOne(id); } @Post() create(@Body() dto: CreateUserDto) { return this.usersService.create(dto); } }
3 検出
3 検出
コードの脆弱性を見つける
Shoulderを使用してコードのMissing Authentication for Critical Functionパターンをスキャンしましょう。 6 ルール.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=306 # Or scan entire project npx @shoulderdev/cli trust .
検出ルール (6)
🐹
Go
3 rules
🐍
Python
2 rules
Django View Missing Authentication
HIGH
Detects Django views that should require authentication but lack
@login_required, @permission_required, or other authentication decorators.
FastAPI Endpoint Missing Authentication
HIGH
Detects FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency injection.
4 警告サイン
4 警告サイン
コードレビューで注目すべき点
これらのパターンはMissing Authentication for Critical Functionの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。
View handles sensitive operations without authentication decorator
django-missing-authentication
Django views that should require authentication but lack
@login_required, @permission_required, or o
django-missing-authentication
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth
fastapi-missing-authentication
FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency
fastapi-missing-authentication
Gin application missing JWT authentication middleware
go-gin-missing-jwt
NestJS endpoint has no @UseGuards() decorator for authentication
nestjs-missing-auth-guard
コードベースをスキャン: Missing Authentication for Critical Function
Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。