{"slug": "ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened", "title": "AINAScan Found Two Security Bugs in a Real Open-Source App — Here Is What Happened", "summary": "AINAScan, an AI-powered static analysis tool, discovered two security vulnerabilities in FlaskBlog, a popular open-source Flask application. The first was an IDOR vulnerability allowing unauthorized access to user resources, and the second involved exposing sensitive data like bcrypt hashes through unfiltered query results passed to templates. The tool's data flow analysis flagged cases where sensitive fields were included in queries without explicit filtering, prompting the maintainer to bundle fixes.", "body_md": "Last week, I ran [AINAScan](https://github.com/moonsehwan/aina-scan) — our AI-powered static analysis tool — against [FlaskBlog](https://github.com/DogukanUrker/FlaskBlog), a popular open-source Flask project. It found two security issues back-to-back. Here's the breakdown.\n\nThe bigger finding was a classic IDOR (Insecure Direct Object Reference) vulnerability. A user could directly reference another user's resource by ID without any authorization check. This is [issue #254](https://github.com/DogukanUrker/FlaskBlog/issues/254).\n\nThe second finding — [issue #258](https://github.com/DogukanUrker/FlaskBlog/issues/258) — is subtler. In , the search results query fetches the full user row including the field, and that tuple gets passed directly into the template context:\n\nThe template currently only renders and . So no hash is displayed *right now*. But the data is there — one accidental in the template (during a future edit) would expose bcrypt hashes to every visitor.\n\nMost developers don't think twice about or selecting all columns for convenience. But every field you expose to the template layer is a surface area that can leak — through:\n\n**Principle of Least Privilege applies to data too.** Only pass what the template actually needs.\n\nAINAScan traces data flow from the query result tuple through to the template render call. It flags cases where sensitive field names (like , , ) appear in a query but the result is passed to a render function without explicit field filtering.\n\nNo execution needed — pure static AST + data flow analysis.\n\nThe maintainer acknowledged the finding and is bundling the fix with the IDOR patch in v3. Closing as duplicate of #254.\n\nBefore every call, ask: *do I actually need all these fields?* If your ORM returns a model object or a raw tuple with 10+ columns, consider projecting down to only what the view needs.\n\n**AINAScan** is open-source and free to try. Drop your repo URL and see what it finds: [github.com/moonsehwan/aina-scan](https://github.com/moonsehwan/aina-scan)\n\n*Do you explicitly filter query results before passing to templates, or do you SELECT * and let the template decide what to show?*", "url": "https://wpnews.pro/news/ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened", "canonical_source": "https://dev.to/ainascan/ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened-8ng", "published_at": "2026-06-26 23:14:59+00:00", "updated_at": "2026-06-27 00:03:56.568154+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools", "ai-safety"], "entities": ["AINAScan", "FlaskBlog", "DogukanUrker"], "alternates": {"html": "https://wpnews.pro/news/ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened", "markdown": "https://wpnews.pro/news/ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened.md", "text": "https://wpnews.pro/news/ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened.txt", "jsonld": "https://wpnews.pro/news/ainascan-found-two-security-bugs-in-a-real-open-source-app-here-is-what-happened.jsonld"}}