BETA O Shoulder está em beta — Os resultados às vezes podem estar incorretos. Seu feedback molda o que corrigimos a seguir. Compartilhar feedback
Shoulder.dev

Inteligência de Ameaças para Desenvolvedores
🔒

Missing Authentication for Critical Function

🛡️ 6 regras detectam isto

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

Prevalência
Alta
Frequentemente explorada
Impacto
Alto
6 regras de severidade alta
Prevenção
Documentada
6 exemplos de correção
2 Prevenção
2 Prevenção

Como corrigir esta vulnerabilidade

🐍 Python Ver tudo Python detalhes →
Django View Missing Authentication HIGH

Add @login_required or @permission_required decorator to all protected views

+7 -5 python 
- from django.http import JsonResponse
- from .models import Document
- 
- def delete_document(request, doc_id):
-     doc = Document.objects.get(id=doc_id)
+ from django.contrib.auth.decorators import login_required
+ from django.http import JsonResponse
+ from .models import Document
+ 
+ @login_required
+ def delete_document(request, doc_id):
+     doc = Document.objects.get(id=doc_id, owner=request.user)
      doc.delete()
      return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication HIGH

Add authentication using FastAPI Depends() dependency injection

+10 -6 python 
- from fastapi import FastAPI
- 
- app = FastAPI()
- 
- @app.delete("/users/{user_id}")
- async def delete_user(user_id: int):
+ from fastapi import FastAPI, Depends
+ from myapp.auth import get_current_user
+ 
+ app = FastAPI()
+ 
+ @app.delete("/users/{user_id}")
+ async def delete_user(
+     user_id: int,
+     current_user: User = Depends(get_current_user)
+ ):
      await User.filter(id=user_id).delete()
      return {"deleted": user_id}
🐹 Go Ver tudo Go detalhes →
Echo Missing JWT Middleware HIGH

Add Echo JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+     echojwt "github.com/labstack/echo-jwt/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     api := e.Group("/api")
+     api.Use(echojwt.WithConfig(echojwt.Config{
+         SigningKey: []byte(os.Getenv("JWT_SECRET")),
+     }))
+     api.POST("/transfer", transferHandler)
      e.Start(":8080")
  }
Fiber Missing JWT Middleware HIGH

Add Fiber JWT middleware to protect API endpoints

+13 -5 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
-     app.Post("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gofiber/fiber/v2"
+     jwtware "github.com/gofiber/contrib/jwt"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     api := app.Group("/api")
+     api.Use(jwtware.New(jwtware.Config{
+         SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
+     }))
+     api.Post("/transfer", transferHandler)
      app.Listen(":3000")
  }
Gin Missing JWT Middleware HIGH

Add JWT authentication middleware to protect API endpoints

+15 -5 go 
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     r := gin.Default()
-     r.POST("/api/transfer", transferHandler)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+     jwt "github.com/appleboy/gin-jwt/v2"
+ )
+ 
+ func main() {
+     r := gin.Default()
+     auth, _ := jwt.New(&jwt.GinJWTMiddleware{
+         Realm: "api",
+         Key:   []byte(os.Getenv("JWT_SECRET")),
+     })
+     api := r.Group("/api")
+     api.Use(auth.MiddlewareFunc())
+     api.POST("/transfer", transferHandler)
      r.Run(":8080")
  }
🟨 JavaScript Ver tudo JavaScript detalhes →
NestJS Endpoint Missing Authentication Guard HIGH

Add @UseGuards decorator with authentication guard at controller or method level

+5 -3 javascript 
- import { Controller, Get, Post, Body, Param } from '@nestjs/common';
- 
- @Controller('users')
+ import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common';
+ import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+ 
+ @Controller('users')
+ @UseGuards(JwtAuthGuard)
  export class UsersController {
    @Get(':id')
    findOne(@Param('id') id: string) {
      return this.usersService.findOne(id);
    }
  
    @Post()
    create(@Body() dto: CreateUserDto) {
      return this.usersService.create(dto);
    }
  }
4 Sinais de Alerta
4 Sinais de Alerta

O que observar nas revisões de código

Estes padrões indicam vulnerabilidades potenciais de Missing Authentication for Critical Function. Procure-os durante revisões de código e auditorias de segurança.

🟠
View handles sensitive operations without authentication decorator django-missing-authentication
🟠
Django views that should require authentication but lack @login_required, @permission_required, or o django-missing-authentication
🟠
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth fastapi-missing-authentication
🟠
FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency fastapi-missing-authentication
🟠
Gin application missing JWT authentication middleware go-gin-missing-jwt
🟠
NestJS endpoint has no @UseGuards() decorator for authentication nestjs-missing-auth-guard
🔍

Escaneie seu código para Missing Authentication for Critical Function

O Shoulder CLI encontra padrões vulneráveis em todo o seu código.

npx shoulder trust Ver todas as regras