VNX-635 – Weaknesses in OWASP Top Ten (Security TODO/FIXME)
Overview
Comments like # TODO: add authentication, // FIXME: validate input before use, or # HACK: skip security check for now document known security deficiencies that were deferred rather than resolved. These are explicit admissions that the code has unaddressed security weaknesses.
Severity: Low | CWE: CWE-635 – Weaknesses Originally Used by NVD
Why This Matters
Security TODOs are often never revisited. Under deadline pressure, “temporary” bypasses become permanent. Attackers who gain access to source code (through leaks, open-source repos, or disassembly) can use these comments as a roadmap to exploitable vulnerabilities, significantly reducing their research time.
What Gets Flagged
# FLAGGED: Security check deferred
# TODO: add authentication check here
def admin_panel():
return render_admin()
# FLAGGED: Known security bypass
# FIXME: remove this bypass before going to prod
if DEBUG_MODE or user_id:
grant_access()
// FLAGGED: Validation skipped
// TODO: validate user input
const query = `SELECT * FROM users WHERE id = ${userId}`;
// FLAGGED: HACK comment on security-related code
// HACK: skip CSRF check for API clients
if (!isAPIClient) { validateCSRF(); }
Remediation
Resolve security TODOs before deployment. If deferral is unavoidable, track them as formal security issues in your issue tracker with appropriate priority:
# BEFORE (deferred):
# TODO: add rate limiting — see issue #234
process_login(username, password)
# AFTER (resolved):
check_rate_limit(request.ip) # issue #234 resolved
process_login(username, password)
Use pre-commit hooks or CI checks to block merging code with security-related TODO/FIXME comments into the main branch.