Bento includes specialty checks for Python web apps and open source checks for Python, Docker, and shell files. Checks are developed by r2c’s program analysis team and fine-tuned based on their behavior across thousands of open source projects using the r2c platform.
Follow best practices for cookie security
Properly secure Flask routes when using JWT
Avoid hardcoded use of config variables in Flask
Use jsonify instead of json.dumps
Alerts if using a Jinja template that is not automatically escaped by Flask
Avoid unwanted complexity when building large Flask apps
Ensure use of proper args when handling files
Avoid using NULL on string-based fields such as CharField and TextField.
Use DecimalField instead of FloatField for currency
For string fields, null=True must also be set to avoid unique constraint violations
Use JsonResponse instead of json.dumps
Open URL redirect vulnerabilities may lead to phishing or XSS
A count() call is more efficient
Avoid using raw SQL queries in Django
Prevent XSS by detecting when a variable is used in an anchor tag
Ensure links opened in new tabs follow security best practices
Ensure links opened in new tabs follow security best practices
Detect missing CSRF protection in HTML forms used in Jinja templates
Ensure attribute values are quoted when using Jinja template variables
Prevent browsers from switching into quirks mode by ensuring HTML doctype declaration
Ensure correct character encoding interpretation to help prevent XSS attacks
Ensure proper content-type declaration to help prevent XSS attacks
Finds Requests methods without a timeout
Finds URLs passed to Requests that don’t have a URL scheme
Detects when the auth parameter is used over http, potentially exposing credentials
Detect hardcoded AWS access tokens used in Boto 3
Detects non-literal URLs in `click.launch()`, which could direct a browser to a malicious site
Ensures parameters match in @click.option and the function definition