missing-jwt-token

Try in Playground
python-flaskSecurityInformational

0

No tags

No CWE or CVE

Ensure that when the flask_jwt_extended library is used in a flask app, it's being used to authenticate requests.

Ast Rule: function definition


missing-jwt-token

How to write a rule
function visit(node, filename, code) {
	const decorators_available = node.context
	.imports.filter(i => i.astType === "fromstatement" && i.pkg && i.pkg.value === "flask_jwt_extended")
	.flatMap(i => i.elements.filter(e => e.name && e.name.value).map(e => e.name.value));

	if(!decorators_available || decorators_available.length == 0) {
		return;
	}

	const checkElement = (element) => {
    if (!element) {
      return;
    }

    if (element.astType === "functioncall") {
      if (element.functionName.value === "dumps" && element.moduleOrObject.value === "json") {
        const error = buildError(element.start.line, element.start.col, element.end.line, element.end.col,
          "do not use json.dumps, use flask.jsonify() instead", "CRITICAL", "SECURITY");
        addError(error);
      }
    }
    if (element.astType === "assignment") {
      checkElement(element.right);
    }
  };



	
  const isRoute = node.decorators && node.decorators.filter(d => d.name && d.name.value === "app.route").length > 0;
	const useJwtDecorator = node.decorators && node.decorators.filter(d => d.name && decorators_available.includes(d.name.value)).length > 0;

  if (isRoute && !useJwtDecorator) {
		
		var error = buildError(node.name.start.line, node.name.start.col, 
														 node.name.end.line, node.name.end.col,
														 "flask_jwt_extended imported - you may want to add a decorator",
														 "CRITICAL", "SECURITY");
		decorators_available.forEach(d => {
			const edit = buildEditAdd(node.start.line, node.start.col - 1, `@${d}()\n`);
      const fix = buildFix(`add decorator ${d}`, [edit]);
			error = error.addFix(fix);

		});
    addError(error); 
  }

}

with-decorator.py

Expected test result: no error

from flask_jwt_extended import jwt_required


@app.route("/sendmail", methods=["POST"])
@jwt_required()
async def send_mail():
    data = json.loads(request.data)
    
    mail_template = render_template("mail-view.html", data=data)

    pdf_report = pdfkit.from_string(mail_template, False)

    message = Message(
        subject="Flask-Mailing module",
        recipients=["recepient-mail@domain.com"],
        body="Message body",
        subtype="html",
    )
    message.attach("report.pdf", pdf_report)
    await mail.send_message(message)
    return jsonify({"message": "success"}), 200

without-decorator.py

Expected test result: no error

from flask_jwt_extended import jwt_required

@app.route("/sendmail", methods=["POST"])
async def send_mail():
    data = json.loads(request.data)
    
    mail_template = render_template("mail-view.html", data=data)

    pdf_report = pdfkit.from_string(mail_template, False)

    message = Message(
        subject="Flask-Mailing module",
        recipients=["recepient-mail@domain.com"],
        body="Message body",
        subtype="html",
    )
    message.attach("report.pdf", pdf_report)
    await mail.send_message(message)
    return jsonify({"message": "success"}), 200
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.