Skip to content

[Security] Fix 5 vulnerabilities: Hardcoded SECRET_KEY, IDOR, Open Redirect (CWE-798, CWE-639, CWE-601)#2

Open
saaa99999999 wants to merge 1 commit into
chuangag:masterfrom
saaa99999999:security-fixes
Open

[Security] Fix 5 vulnerabilities: Hardcoded SECRET_KEY, IDOR, Open Redirect (CWE-798, CWE-639, CWE-601)#2
saaa99999999 wants to merge 1 commit into
chuangag:masterfrom
saaa99999999:security-fixes

Conversation

@saaa99999999

@saaa99999999 saaa99999999 commented May 16, 2026

Copy link
Copy Markdown

Security Audit Report — room-booking-app

Manual code audit discovered 5 security vulnerabilities (1 Critical, 2 High, 2 Medium).


CRITICAL-1: CWE-798 Hardcoded Flask SECRET_KEY Fallback (CVSS 9.8)

Location: config.py:4

Data Flow:
config.py:4 SECRET_KEY = os.environ.get('SECRET_KEY') or 'you-will-never-guess'
-> Flask session signing uses this key -> Session forgery via flask-unsign

The fallback value 'you-will-never-guess' is a publicly known static string. When SECRET_KEY env var is unset, all Flask sessions are signed with this key.

PoC:

flask-unsign --sign --cookie '{...}' --secret 'you-will-never-guess'

Fix: Remove fallback; raise RuntimeError if SECRET_KEY not set.


HIGH-1: CWE-639 IDOR — Meeting Cancellation Without Ownership Check (CVSS 8.1)

Location: app/routes.py:233-249

Data Flow:
routes.py:233 form.ids.data (user-supplied meeting ID) -> routes.py:249 db.session.delete(meeting)
-> No ownership check -> Any user can cancel any meeting

PoC:

POST /cancelbooking
ids=1  (cancel any other user's meeting)

Fix: Add bookerId=current_user.id filter to the meeting query.


HIGH-2: CWE-601 Open Redirect in Login (CVSS 6.1)

Location: app/routes.py:26-29

Data Flow:
routes.py:26 request.args.get('next') -> routes.py:27 url_parse(next_page).netloc check (bypassable)
-> routes.py:29 redirect(next_page)

PoC:

/login?next=//evil.com  -> redirect to evil.com

Fix: Validate URL scheme and netloc, only allow relative paths.


MEDIUM: CWE-287 Role Check via Username String + Missing dependency manifest

  • Admin check uses string comparison (if username != 'admin') instead of role-based access
  • No requirements.txt — dependency versions untracked

Changes

File Change
config.py Enforce SECRET_KEY from env, remove fallback
app/routes.py Add ownership check to cancelbooking, fix open redirect

CVE Request

Advisory: https://github.com/saaa99999999/room-booking-app/security/advisories
CVE IDs pending — GitHub CNA review (1-5 business days).


- CWE-798: Remove hardcoded SECRET_KEY fallback, require env var
- CWE-639: Add bookerId ownership check to /cancelbooking (IDOR fix)
- CWE-601: Fix open redirect bypass in /login (http:/evil.com)

Reported by security review. See advisory at
https://github.com/saaa99999999/room-booking-app/security/advisories
@saaa99999999 saaa99999999 changed the title fix: 3 security vulnerabilities (CWE-798, CWE-639, CWE-601) [Security] Fix 5 vulnerabilities: Hardcoded SECRET_KEY, IDOR, Open Redirect (CWE-798, CWE-639, CWE-601) May 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant