Bento Checks

Documentation for r2c's custom checks. These checks are integrated into our program analysis tool, Bento.

You can get these along with other great open source checks by installing Bento!

$ pip3 install bento-cli

See Bento's README for more details.

List of Checks



This check locates calls to flask.send_file() which will throw a runtime error. flask.send_file() throws a ValueError when open([filename], [mode]) is passed as the first argument without the either the mimetype or attachment_filename keyword arguments.


This check detects calls to response.set_cookie that do not have secure, httponly, and samesite set. This follows the guidance in the Flask documentation.


Flask will not autoescape Jinja templates that do not use .html, .htm, .xml, or .xhtml as extensions. This check will alert you if you do not have one of these extensions.


flask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes. This check catches uses of json.dumps() returned from Flask routes and encourages flask.jsonify() instead.


This check recommends using Blueprint when there are too many route handlers in a single file. Blueprint encourages modularity and can greatly simplify how large applications work and provide a central means for Flask extensions to register operations on applications.


JSON Web Tokens (JWT) tokens are used for authentication in web services. Flask packages such as flask_jwt, flask_jwt_extended, and flask_jwt_simple provide a framework for assigning access tokens and verifying tokens for access to Flask routes. This check catches cases where the authentication decorators may be missing from certain routes and recommends their usage for API data security.



This check discourages hardcoded usages of ENV, DEBUG, TESTING, and SECRET_KEY variables in Flask.



This check detects when the auth keyword argument is used over http://, which could expose credentials.


This check finds URLs passed to requests API methods don't have a URL scheme (e.g., https://), otherwise a MissingSchema exception will be thrown at runtime.


This check finds requests methods without a timeout. Without a timeout, requests will hang forever.



This check looks for hardcoded AWS access tokens used in boto3 API calls.



This check looks for non-literal URLs in click.launch(), which could direct a browser to a malicious site.


This check makes sure that parameters match in @click.option and the function definition.