BETA Shoulder jest w wersji beta — Wyniki mogą czasami być błędne. Twoja opinia kształtuje to, co naprawimy w następnej kolejności. Podziel się opinią
Shoulder.dev

Platforma Bezpieczenstwa dla Programistow
🔒

Missing Authentication for Critical Function

🛡️ 6 reguł wykrywa to

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

Rozpowszechnienie
Wysoka
Często wykorzystywana
Wplyw
Wysoki
6 reguł o wysokim poziomie
Zapobieganie
Udokumentowane
6 przykładów poprawek
2 Zapobieganie
2 Zapobieganie

Jak naprawić tę podatność

🐍 Python Zobacz wszystko Python szczegóły →
Django View Missing Authentication HIGH

Add @login_required or @permission_required decorator to all protected views

+7 -5 python 
- from django.http import JsonResponse
- from .models import Document
- 
- def delete_document(request, doc_id):
-     doc = Document.objects.get(id=doc_id)
+ from django.contrib.auth.decorators import login_required
+ from django.http import JsonResponse
+ from .models import Document
+ 
+ @login_required
+ def delete_document(request, doc_id):
+     doc = Document.objects.get(id=doc_id, owner=request.user)
      doc.delete()
      return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication HIGH

Add authentication using FastAPI Depends() dependency injection

+10 -6 python 
- from fastapi import FastAPI
- 
- app = FastAPI()
- 
- @app.delete("/users/{user_id}")
- async def delete_user(user_id: int):
+ from fastapi import FastAPI, Depends
+ from myapp.auth import get_current_user
+ 
+ app = FastAPI()
+ 
+ @app.delete("/users/{user_id}")
+ async def delete_user(
+     user_id: int,
+     current_user: User = Depends(get_current_user)
+ ):
      await User.filter(id=user_id).delete()
      return {"deleted": user_id}
🐹 Go Zobacz wszystko Go szczegóły →
Echo Missing JWT Middleware HIGH

Add Echo JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+     echojwt "github.com/labstack/echo-jwt/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     api := e.Group("/api")
+     api.Use(echojwt.WithConfig(echojwt.Config{
+         SigningKey: []byte(os.Getenv("JWT_SECRET")),
+     }))
+     api.POST("/transfer", transferHandler)
      e.Start(":8080")
  }
Fiber Missing JWT Middleware HIGH

Add Fiber JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
-     app.Post("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gofiber/fiber/v2"
+     jwtware "github.com/gofiber/contrib/jwt"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     api := app.Group("/api")
+     api.Use(jwtware.New(jwtware.Config{
+         SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
+     }))
+     api.Post("/transfer", transferHandler)
      app.Listen(":3000")
  }
Gin Missing JWT Middleware HIGH

Add JWT authentication middleware to protect API endpoints

+15 -5 go 
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     r := gin.Default()
-     r.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+     jwt "github.com/appleboy/gin-jwt/v2"
+ )
+ 
+ func main() {
+     r := gin.Default()
+     auth, _ := jwt.New(&jwt.GinJWTMiddleware{
+         Realm: "api",
+         Key:   []byte(os.Getenv("JWT_SECRET")),
+     })
+     api := r.Group("/api")
+     api.Use(auth.MiddlewareFunc())
+     api.POST("/transfer", transferHandler)
      r.Run(":8080")
  }
🟨 JavaScript Zobacz wszystko JavaScript szczegóły →
NestJS Endpoint Missing Authentication Guard HIGH

Add @UseGuards decorator with authentication guard at controller or method level

+5 -3 javascript 
- import { Controller, Get, Post, Body, Param } from '@nestjs/common';
- 
- @Controller('users')
+ import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common';
+ import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+ 
+ @Controller('users')
+ @UseGuards(JwtAuthGuard)
  export class UsersController {
    @Get(':id')
    findOne(@Param('id') id: string) {
      return this.usersService.findOne(id);
    }
  
    @Post()
    create(@Body() dto: CreateUserDto) {
      return this.usersService.create(dto);
    }
  }
4 Sygnaly Ostrzegawcze
4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Missing Authentication for Critical Function. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠
View handles sensitive operations without authentication decorator django-missing-authentication
🟠
Django views that should require authentication but lack @login_required, @permission_required, or o django-missing-authentication
🟠
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth fastapi-missing-authentication
🟠
FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency fastapi-missing-authentication
🟠
Gin application missing JWT authentication middleware go-gin-missing-jwt
🟠
NestJS endpoint has no @UseGuards() decorator for authentication nestjs-missing-auth-guard
🔍

Przeskanuj swój kod w poszukiwaniu Missing Authentication for Critical Function

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły