Flask

Detects Flask applications started with debug=True, which enables the interactive Werkzeug debugger and must never run in production.

Detects Flask applications binding the development server to 0.0.0.0, exposing it to every network interface instead of localhost only.

Detects Flask-CORS configured with origins="*", allowing any domain to make cross-origin requests to the application.

Detects url_for() called with _external=True, which generates absolute URLs using the Host header and can be abused for open redirect or host header injection attacks.

Detects any use of render_template_string(), which renders Jinja2 templates from Python strings and is inherently adjacent to Server-Side Template Injection (SSTI) vulnerabilities.

Detects set_cookie() calls with secure=False or httponly=False, which expose session and authentication cookies to theft via network eavesdropping or JavaScript access.

User input from Flask request parameters flows to subprocess functions with shell=True or as a command string. Use list arguments without shell=True.

Finds user input reaching raw SQL queries in Flask apps where parameterized queries should be used instead.

User input from Flask request parameters flows to eval(). Replace with ast.literal_eval() for data parsing or json.loads() for structured input.

User input from Flask request parameters flows to exec() or compile(). exec() cannot be safely sanitized -- redesign the feature to avoid dynamic code execution.

User input from Flask request parameters flows to outbound HTTP request URLs via the requests library. Validate and allowlist target hosts before making server-side requests.

User input from Flask request parameters flows to open() or io.open() without path sanitization. Use werkzeug secure_filename() and verify the resolved path stays within the intended directory.

User input from Flask request parameters flows to csv.writer.writerow() or writerows() without formula character sanitization. Strip or escape leading =, +, -, @ characters to prevent spreadsheet formula injection.

User input from Flask request parameters flows to float() which can produce NaN or Inf values. Validate and reject non-finite float values with math.isnan() and math.isinf().

User input from Flask request parameters is used to construct the host component of an outbound HTTP request URL. Validate the host against an explicit allowlist before making server-side requests.

User input from Flask request parameters flows to redirect() without URL validation. Validate redirect targets against an allowlist or use url_for() to generate trusted application-internal URLs.

User input from Flask request parameters flows to render_template_string() as part of the template source. Pass user data as template variables, never in the template string itself.

Detects use of send_file() and send_from_directory() which serve files from the server's file system and are vulnerable to path traversal when the filename argument comes from user input.

Detects Hashids initialized with app.secret_key as the salt, which exposes Flask's secret key because the Hashids salt is recoverable through cryptanalysis.

Detects direct use of jinja2.Environment or jinja2.Template, which bypasses Flask's automatic HTML autoescaping and can lead to XSS vulnerabilities.

Detects use of Markup() or markupsafe.Markup() which marks strings as safe HTML, bypassing Jinja2's autoescaping and introducing XSS risk if applied to user-controlled content.