python-flask-meetup

Grayson Hardaway

Author

unknown

Download Count*

LGPL Commons Clause

License

Python Meetup Check Ruleset

Run Locally

Rules (9)

python.requests.security.no-auth-over-http.no-auth-over-http

returntocorp

python

Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use 'https://' instead.

python.boto3.security.hardcoded-token.hardcoded-token

returntocorp

python

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

python.flask.security.audit.render-template-string.render-template-string

returntocorp

python

Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.

python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host

returntocorp

python

Running flask app with host 0.0.0.0 could expose the server publicly.

python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly

returntocorp

python

top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function

python.flask.security.unescaped-template-extension.unescaped-template-extension

returntocorp

python

Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.

python.flask.security.unsanitized-input.response-contains-unsanitized-input

returntocorp

python

Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user's browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).

python.flask.security.audit.secure-set-cookie.secure-set-cookie

returntocorp

python

Found a Flask cookie without secure, httponly, or samesite correctly set. Flask cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the 'secure=True', 'httponly=True', samesite='Lax' arguments or set these to be true in the Flask configuration.

python.requests.best-practice.use-timeout.use-timeout

returntocorp

python

Detected a 'requests' call without a timeout set. By default, 'requests' calls wait until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'.