[Security] Fix 6 vulnerabilities: Gmail Credentials, Default Admin, Auth Bypass, Open Redirect (CWE-798, CWE-1392, CWE-862, CWE-601)

[saaa99999999]

Security Audit Report — FlaskBlog

Manual code audit discovered 6 security vulnerabilities (3 Critical, 1 High, 2 Medium).

---

CRITICAL-1: CWE-798 Real Gmail SMTP Credentials Hardcoded (CVSS 9.8)

Location: app/settings.py:137-138

Data Flow:
settings.py:137 SMTP_MAIL = os.environ.get("SMTP_MAIL", "flaskblogdogukanurker@gmail.com")
settings.py:138 SMTP_PASSWORD = os.environ.get("SMTP_PASSWORD", "icovdnrxcgfdswal")
-> signup.py:107 server.login() uses these credentials
-> password_reset.py:127 server.login() uses these credentials

Impact: A real Gmail app password is visible in the public repository. Anyone can send emails as flaskblogdogukanurker@gmail.com, including password reset emails to hijack any account.

Fix: Remove hardcoded fallback; require env vars.

---

CRITICAL-2: CWE-1392 Default Admin Account admin/admin (CVSS 9.8)

Location: app/settings.py:143-144

Data Flow:
settings.py:143 DEFAULT_ADMIN_USERNAME = "admin"
settings.py:144 DEFAULT_ADMIN_PASSWORD = "admin"
-> database.py:25-55 _create_default_admin() inserts admin with sha512_crypt hash
-> Full system admin access

PoC:

POST /login/redirect=&
username=admin&password=admin

Fix: Require DEFAULT_ADMIN_PASSWORD env var; refuse startup if not set.

---

CRITICAL-3: CWE-862 Missing Authorization Check Order (CVSS 9.8)

Location: app/routes/admin_panel_users.py:28-43

Data Flow:
admin_panel_users.py:28-41 POST action handler executes BEFORE admin check at line 43
-> Any authenticated user can change roles or delete users
-> Self-escalation to admin

PoC:

POST /admin/users
user_role_change_button=1&username=<attacker_username>

Fix: Move admin role check BEFORE the POST action handling block.

---

HIGH-4: CWE-601 Open Redirect with Zero Validation (CVSS 6.1)

Location: app/routes/login.py:21-40

The login route accepts a direct URL parameter, only does replace('&', '/'), and redirects with no validation.

PoC:

/login/redirect=https:&&evil.com -> https://evil.com

---

MEDIUM: CWE-307 Weak Password Reset (4-digit code) + CWE-204 User Enumeration

• Password reset uses 4-digit code (only 9000 possibilities), no rate limiting
• Login/reset endpoints return different messages for "not found" vs "wrong password"

CVE Request

Advisory: https://github.com/saaa99999999/FlaskBlog/security/advisories
CVE IDs pending — GitHub CNA review (1-5 business days).

---

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR hardens security across three areas: adds authorization enforcement at the admin route to block non-admin access, prevents open redirects in the login flow by validating redirect parameters, and removes hardcoded SMTP credentials while making admin password configuration mandatory rather than optional.

Changes

Security Hardening across Auth and Config

Layer / File(s)	Summary
Admin route authorization check app/routes/admin_panel_users.py	Early authorization guard redirects non-admin users to / with an error log before any POST actions or template rendering.
Open redirect prevention in login app/routes/login.py	Imports urlparse and validates the direct redirect parameter to block absolute URLs and non-internal paths, defaulting to / when unsafe or missing.
Configuration security hardening app/settings.py	Removes hardcoded SMTP credentials (now empty-string defaults) and enforces DEFAULT_ADMIN_PASSWORD as mandatory via runtime check when DEFAULT_ADMIN is enabled, raising RuntimeError if missing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Security strengthens with every guard,
No open doors or hardcoded card,
Admins checked, redirects tamed,
Configs crisp, credentials unnamed—
A safer burrow awaits, well-framed!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The description does not follow the required template structure with 'Fixes #' issue reference and 'Proposed Changes' section; it instead provides a full security audit report format.	Reformat to match the template: add 'Fixes #' with issue numbers and 'Proposed Changes' section with bulleted list of changes, or move detailed audit to separate security advisory document.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the four main security vulnerabilities being fixed (CWE-798, CWE-1392, CWE-862, CWE-601) and matches the changes implemented across the modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/routes/admin_panel_users.py (1)

20-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Session auth key should follow the repository contract (userName).

This route authenticates via session["username"], but the guideline requires session["userName"] for auth state checks. Aligning this avoids inconsistent auth/session behavior across routes. As per coding guidelines, "Session-based authentication must check session["userName"] for user authentication state".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/routes/admin_panel_users.py` around lines 20 - 23, The route is using
session["username"] but the project contract requires session["userName"];
update the auth check and usages accordingly in this handler: change the
conditional to check "userName" in session, update the Log.info call to
reference session["userName"], and fetch the DB user with
User.query.filter_by(username=session["userName"]).first() so the log, auth
check, and User lookup all use the canonical session key (userName).

🧹 Nitpick comments (1)

app/routes/admin_panel_users.py (1)

49-81: ⚡ Quick win

Remove now-redundant role check after the early admin guard.

Since Line 28-33 already redirects non-admin users, if user.role == "admin" at Line 49 is always true here and the else branch is dead flow. Flatten this block to reduce branching and duplicated unauthorized logging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/routes/admin_panel_users.py` around lines 49 - 81, Remove the redundant
admin role check and dead else branch: the handler already guards non-admins
earlier, so eliminate the outer "if user.role == 'admin'" block and its else
logging/redirect; directly call paginate_query(User.query), build the users list
(using u.user_id, u.username, u.email, u.password, u.profile_picture, u.role,
u.points, u.time_stamp, u.is_verified), Log.info the render message, and return
render_template("admin_panel_users.html", users=users, page=page,
total_pages=total_pages) inline.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@app/routes/admin_panel_users.py`:
- Around line 20-23: The route is using session["username"] but the project
contract requires session["userName"]; update the auth check and usages
accordingly in this handler: change the conditional to check "userName" in
session, update the Log.info call to reference session["userName"], and fetch
the DB user with User.query.filter_by(username=session["userName"]).first() so
the log, auth check, and User lookup all use the canonical session key
(userName).

---

Nitpick comments:
In `@app/routes/admin_panel_users.py`:
- Around line 49-81: Remove the redundant admin role check and dead else branch:
the handler already guards non-admins earlier, so eliminate the outer "if
user.role == 'admin'" block and its else logging/redirect; directly call
paginate_query(User.query), build the users list (using u.user_id, u.username,
u.email, u.password, u.profile_picture, u.role, u.points, u.time_stamp,
u.is_verified), Log.info the render message, and return
render_template("admin_panel_users.html", users=users, page=page,
total_pages=total_pages) inline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3cf1acd7-b74e-41f4-b9f3-fa04fbae9533

📥 Commits

Reviewing files that changed from the base of the PR and between fe7a05a and 924d56c.

📒 Files selected for processing (3)

• app/routes/admin_panel_users.py
• app/routes/login.py
• app/settings.py