Bento Checks

Documentation for r2c's custom checks. These checks are integrated into our program analysis tool, Bento.

You can get these along with other great open source checks by installing Bento!

$ pip3 install bento-cli

See Bento's README for more details.

List of Checks

flake8-flask

r2c-flask-send-file-open

This check locates calls to flask.send_file() which will throw a runtime error. flask.send_file() throws a ValueError when open([filename], [mode]) is passed as the first argument without the either the mimetype or attachment_filename keyword arguments.

r2c-flask-secure-set-cookie

This check detects calls to response.set_cookie that do not have secure, httponly, and samesite set. This follows the guidance in the Flask documentation.

r2c-flask-unescaped-file-extension

Flask will not autoescape Jinja templates that do not use .html, .htm, .xml, or .xhtml as extensions. This check will alert you if you do not have one of these extensions.

r2c-flask-use-jsonify

flask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes. This check catches uses of json.dumps() returned from Flask routes and encourages flask.jsonify() instead.

r2c-flask-use-blueprint-for-modularity

This check recommends using Blueprint when there are too many route handlers in a single file. Blueprint encourages modularity and can greatly simplify how large applications work and provide a central means for Flask extensions to register operations on applications.

r2c-flask-missing-jwt-token

JSON Web Tokens (JWT) tokens are used for authentication in web services. Flask packages such as flask_jwt, flask_jwt_extended, and flask_jwt_simple provide a framework for assigning access tokens and verifying tokens for access to Flask routes. This check catches cases where the authentication decorators may be missing from certain routes and recommends their usage for API data security.

sgrep-flask

avoid-hardcoded-config

This check discourages hardcoded usages of ENV, DEBUG, TESTING, and SECRET_KEY variables in Flask.

flake8-requests

r2c-requests-no-auth-over-http

This check detects when the auth keyword argument is used over http://, which could expose credentials.

r2c-requests-use-scheme

This check finds URLs passed to requests API methods don't have a URL scheme (e.g., https://), otherwise a MissingSchema exception will be thrown at runtime.

r2c-requests-use-timeout

This check finds requests methods without a timeout. Without a timeout, requests will hang forever.

flake8-boto3

r2c-boto3-hardcoded-access-token

This check looks for hardcoded AWS access tokens used in boto3 API calls.

flake8-click

r2c-click-launch-uses-literal

This check looks for non-literal URLs in click.launch(), which could direct a browser to a malicious site.

r2c-click-option-function-argument-check]

This check makes sure that parameters match in @click.option and the function definition.