Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.
普遍性
高
频繁被利用
影响
高
6 条严重级别为高的规则
预防
已记录
6 个修复示例
2 预防
2 预防
如何修复此漏洞
Python
查看全部 Python 详情 →
Django View Missing Authentication
HIGH
Add @login_required or @permission_required decorator to all protected views
- from django.http import JsonResponse - from .models import Document - - def delete_document(request, doc_id): - doc = Document.objects.get(id=doc_id) + from django.contrib.auth.decorators import login_required + from django.http import JsonResponse + from .models import Document + + @login_required + def delete_document(request, doc_id): + doc = Document.objects.get(id=doc_id, owner=request.user) doc.delete() return JsonResponse({'status': 'deleted'})
FastAPI Endpoint Missing Authentication
HIGH
Add authentication using FastAPI Depends() dependency injection
- from fastapi import FastAPI - - app = FastAPI() - - @app.delete("/users/{user_id}") - async def delete_user(user_id: int): + from fastapi import FastAPI, Depends + from myapp.auth import get_current_user + + app = FastAPI() + + @app.delete("/users/{user_id}") + async def delete_user( + user_id: int, + current_user: User = Depends(get_current_user) + ): await User.filter(id=user_id).delete() return {"deleted": user_id}
Go
查看全部 Go 详情 →
Echo Missing JWT Middleware
HIGH
Add Echo JWT middleware to protect API endpoints
package main - import "github.com/labstack/echo/v4" - - func main() { - e := echo.New() - e.POST("/api/transfer", transferHandler) + import ( + "os" + "github.com/labstack/echo/v4" + echojwt "github.com/labstack/echo-jwt/v4" + ) + + func main() { + e := echo.New() + api := e.Group("/api") + api.Use(echojwt.WithConfig(echojwt.Config{ + SigningKey: []byte(os.Getenv("JWT_SECRET")), + })) + api.POST("/transfer", transferHandler) e.Start(":8080") }
Fiber Missing JWT Middleware
HIGH
Add Fiber JWT middleware to protect API endpoints
package main - import "github.com/gofiber/fiber/v2" - - func main() { - app := fiber.New() - app.Post("/api/transfer", transferHandler) + import ( + "os" + "github.com/gofiber/fiber/v2" + jwtware "github.com/gofiber/contrib/jwt" + ) + + func main() { + app := fiber.New() + api := app.Group("/api") + api.Use(jwtware.New(jwtware.Config{ + SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))}, + })) + api.Post("/transfer", transferHandler) app.Listen(":3000") }
Gin Missing JWT Middleware
HIGH
Add JWT authentication middleware to protect API endpoints
package main - import "github.com/gin-gonic/gin" - - func main() { - r := gin.Default() - r.POST("/api/transfer", transferHandler) + import ( + "os" + "github.com/gin-gonic/gin" + jwt "github.com/appleboy/gin-jwt/v2" + ) + + func main() { + r := gin.Default() + auth, _ := jwt.New(&jwt.GinJWTMiddleware{ + Realm: "api", + Key: []byte(os.Getenv("JWT_SECRET")), + }) + api := r.Group("/api") + api.Use(auth.MiddlewareFunc()) + api.POST("/transfer", transferHandler) r.Run(":8080") }
JavaScript
查看全部 JavaScript 详情 →
NestJS Endpoint Missing Authentication Guard
HIGH
Add @UseGuards decorator with authentication guard at controller or method level
- import { Controller, Get, Post, Body, Param } from '@nestjs/common'; - - @Controller('users') + import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common'; + import { JwtAuthGuard } from '../auth/jwt-auth.guard'; + + @Controller('users') + @UseGuards(JwtAuthGuard) export class UsersController { @Get(':id') findOne(@Param('id') id: string) { return this.usersService.findOne(id); } @Post() create(@Body() dto: CreateUserDto) { return this.usersService.create(dto); } }
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的Missing Authentication for Critical Function模式。 6 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=306 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (6)
🐹
Go
3 rules
🐍
Python
2 rules
Django View Missing Authentication
HIGH
Detects Django views that should require authentication but lack
@login_required, @permission_required, or other authentication decorators.
FastAPI Endpoint Missing Authentication
HIGH
Detects FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency injection.
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的Missing Authentication for Critical Function漏洞。在代码审查和安全审计中注意查找。
View handles sensitive operations without authentication decorator
django-missing-authentication
Django views that should require authentication but lack
@login_required, @permission_required, or o
django-missing-authentication
Endpoint performs sensitive operations without Depends(get_current_user) or similar auth
fastapi-missing-authentication
FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency
fastapi-missing-authentication
Gin application missing JWT authentication middleware
go-gin-missing-jwt
NestJS endpoint has no @UseGuards() decorator for authentication
nestjs-missing-auth-guard
扫描你的代码库: Missing Authentication for Critical Function
Shoulder CLI 在整个代码库中找到易受攻击的模式。