{"title":"Flask Session Forgery via Hardcoded SECRET_KEY","language":"Python","severity":"Critical","cwe":"CWE-798","source_lines":[5],"flow_lines":[5,8,9,24],"sink_lines":[8,9,24],"vulnerable_code":"from flask import Flask, session, request, jsonify\nfrom functools import wraps\n\niot_hub = Flask(__name__)\niot_hub.secret_key = 'iot-device-mgmt-2024'\n\ndef requires_device_auth(f):\n    @wraps(f)\n    def decorated(*args, **kwargs):\n        if not session.get('device_id') or not session.get('is_provisioned'):\n            return jsonify({'error': 'Device not authenticated'}), 401\n        return f(*args, **kwargs)\n    return decorated\n\n@iot_hub.route('/provision', methods=['POST'])\ndef provision_device():\n    device_mac = request.json.get('mac_address')\n    device_type = request.json.get('type')\n    session['device_id'] = device_mac\n    session['is_provisioned'] = True\n    session['device_role'] = 'standard'\n    return jsonify({'status': 'provisioned', 'device': device_mac})\n\n@iot_hub.route('/firmware/update', methods=['POST'])\n@requires_device_auth\ndef push_firmware():\n    if session.get('device_role') == 'admin':\n        firmware_url = request.json.get('firmware_url')\n        return jsonify({'status': 'updating', 'url': firmware_url})\n    return jsonify({'error': 'Insufficient privileges'}), 403","explanation":"The Flask application uses a hardcoded SECRET_KEY ('iot-device-mgmt-2024') which allows attackers to forge session cookies. Since authentication and authorization rely solely on session data (device_id, is_provisioned, device_role), an attacker can craft a malicious session cookie with device_role='admin' to bypass privilege checks and access administrative firmware update functions.","remediation":"The fix replaces the hardcoded SECRET_KEY with a value sourced from an environment variable (FLASK_SECRET_KEY), falling back to a cryptographically secure random 32-byte key generated by os.urandom(). This prevents attackers from knowing the secret key and forging session cookies to escalate privileges from 'standard' to 'admin' device role.","secure_code":"import os\nfrom flask import Flask, session, request, jsonify\nfrom functools import wraps\n\niot_hub = Flask(__name__)\niot_hub.secret_key = os.environ.get('FLASK_SECRET_KEY') or os.urandom(32)\n\ndef requires_device_auth(f):\n    @wraps(f)\n    def decorated(*args, **kwargs):\n        if not session.get('device_id') or not session.get('is_provisioned'):\n            return jsonify({'error': 'Device not authenticated'}), 401\n        return f(*args, **kwargs)\n    return decorated\n\n@iot_hub.route('/provision', methods=['POST'])\ndef provision_device():\n    device_mac = request.json.get('mac_address')\n    device_type = request.json.get('type')\n    session['device_id'] = device_mac\n    session['is_provisioned'] = True\n    session['device_role'] = 'standard'\n    return jsonify({'status': 'provisioned', 'device': device_mac})\n\n@iot_hub.route('/firmware/update', methods=['POST'])\n@requires_device_auth\ndef push_firmware():\n    if session.get('device_role') == 'admin':\n        firmware_url = request.json.get('firmware_url')\n        return jsonify({'status': 'updating', 'url': firmware_url})\n    return jsonify({'error': 'Insufficient privileges'}), 403"}