[Security] Fix 5 vulnerabilities: Hardcoded SECRET_KEY, IDOR, Open Redirect (CWE-798, CWE-639, CWE-601)#2
Open
saaa99999999 wants to merge 1 commit into
Open
Conversation
- CWE-798: Remove hardcoded SECRET_KEY fallback, require env var - CWE-639: Add bookerId ownership check to /cancelbooking (IDOR fix) - CWE-601: Fix open redirect bypass in /login (http:/evil.com) Reported by security review. See advisory at https://github.com/saaa99999999/room-booking-app/security/advisories
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Audit Report — room-booking-app
Manual code audit discovered 5 security vulnerabilities (1 Critical, 2 High, 2 Medium).
CRITICAL-1: CWE-798 Hardcoded Flask SECRET_KEY Fallback (CVSS 9.8)
Location: config.py:4
Data Flow:
config.py:4 SECRET_KEY = os.environ.get('SECRET_KEY') or 'you-will-never-guess'
-> Flask session signing uses this key -> Session forgery via flask-unsign
The fallback value 'you-will-never-guess' is a publicly known static string. When SECRET_KEY env var is unset, all Flask sessions are signed with this key.
PoC:
Fix: Remove fallback; raise RuntimeError if SECRET_KEY not set.
HIGH-1: CWE-639 IDOR — Meeting Cancellation Without Ownership Check (CVSS 8.1)
Location: app/routes.py:233-249
Data Flow:
routes.py:233 form.ids.data (user-supplied meeting ID) -> routes.py:249 db.session.delete(meeting)
-> No ownership check -> Any user can cancel any meeting
PoC:
Fix: Add bookerId=current_user.id filter to the meeting query.
HIGH-2: CWE-601 Open Redirect in Login (CVSS 6.1)
Location: app/routes.py:26-29
Data Flow:
routes.py:26 request.args.get('next') -> routes.py:27 url_parse(next_page).netloc check (bypassable)
-> routes.py:29 redirect(next_page)
PoC:
Fix: Validate URL scheme and netloc, only allow relative paths.
MEDIUM: CWE-287 Role Check via Username String + Missing dependency manifest
Changes
CVE Request
Advisory: https://github.com/saaa99999999/room-booking-app/security/advisories
CVE IDs pending — GitHub CNA review (1-5 business days).