Metastatic.Analysis.BusinessLogic.MissingAuthentication
(Metastatic v0.10.4)
View Source
Detects critical functions without authentication checks (CWE-306).
This analyzer identifies endpoints or functions that perform sensitive operations but lack apparent authentication verification.
Cross-Language Applicability
Missing authentication is a universal access control vulnerability:
- Elixir/Phoenix: Controller action without
plug :authenticate - Python/Django: View without
@login_requireddecorator - JavaScript/Express: Route without auth middleware
- Ruby/Rails: Controller without
before_action :authenticate_user! - Java/Spring: Endpoint without
@PreAuthorizeor security config - C#/ASP.NET: Action without
[Authorize]attribute - Go: Handler without auth middleware in chain
Problem
When critical functions lack authentication:
- Anonymous users can access protected resources
- Sensitive operations can be performed without identity verification
- Data exposure to unauthorized parties
- System integrity compromised
Detection Strategy
Detects patterns where:
- Functions named as critical actions (admin, delete, update, etc.)
- Functions in controller/handler modules
- No authentication check is apparent in the function or module context