Bento includes specialty checks for Python web apps and open source checks for Python, Docker, and shell files. Checks are developed by r2c’s program analysis team and fine-tuned based on their behavior across thousands of open source projects using the r2c platform.
Avoid hardcoded use of config variables in Flask
Properly secure Flask routes when using JWT
Follow best practices for cookie security
Ensure use of proper args when handling files
Alerts if using a Jinja template that is not automatically escaped by Flask
Avoid unwanted complexity when building large Flask apps
Use jsonify instead of json.dumps
Avoid using NULL on string-based fields such as CharField and TextField.
Open URL redirect vulnerabilities may lead to phishing or XSS
For string fields, null=True must also be set to avoid unique constraint violations
Use DecimalField instead of FloatField for currency
Use JsonResponse instead of json.dumps
A count() call is more efficient
Avoid using raw SQL queries in Django
Prevent XSS by detecting when a variable is used in an anchor tag
Ensure links opened in new tabs follow security best practices
Ensure links opened in new tabs follow security best practices
Detect missing CSRF protection in HTML forms used in Jinja templates
Prevent browsers from switching into quirks mode by ensuring HTML doctype declaration
Ensure correct character encoding interpretation to help prevent XSS attacks
Ensure proper content-type declaration to help prevent XSS attacks
Ensure attribute values are quoted when using Jinja template variables
Detects when the auth parameter is used over http, potentially exposing credentials
Finds URLs passed to Requests that don’t have a URL scheme
Finds Requests methods without a timeout
Detect hardcoded AWS access tokens used in Boto 3
Detects non-literal URLs in `click.launch()`, which could direct a browser to a malicious site
Ensures parameters match in @click.option and the function definition