php.laravel.security.laravel-active-debug-code.laravel-active-debug-code

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.

Run Locally

Run in CI

Defintion

rules:
  - id: laravel-active-debug-code
    patterns:
      - pattern-either:
          - pattern: |
              putenv("APP_DEBUG=true")
          - pattern: |
              config(['app.debug' => 'true'])
          - pattern: |
              $_ENV["APP_DEBUG"] = 'true'
    message: Found an instance setting the APP_DEBUG environment variable to true.
      In your production environment, this should always be false. Otherwise,
      you risk exposing sensitive configuration values to potential attackers.
      Instead, set this to false.
    languages:
      - php
    severity: ERROR
    metadata:
      category: security
      cwe:
        - "CWE-489: Active Debug Code"
      owasp:
        - A05:2021 - Security Misconfiguration
      technology:
        - php
        - laravel
      references:
        - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
        - https://laravel.com/docs/9.x/configuration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Active Debug Code

Examples

laravel-active-debug-code.php

<?php
    // ruleid: laravel-active-debug-code 
    config(['app.debug' => 'true']);

    // ruleid: laravel-active-debug-code 
    putenv("APP_DEBUG=true");

    // ruleid: laravel-active-debug-code 
    $_ENV['APP_DEBUG'] = 'true';

    // ok: laravel-active-debug-code
    config(['app.debug' => 'false']);

    // ok: laravel-active-debug-code
    putenv("APP_DEBUG=false");

    // ok: laravel-active-debug-code 
    $_ENV['APP_DEBUG'] = 'false';

    // this is ok because it retrieves the value from the env file instead of setting it directly.
    // ok: laravel-active-debug-code
    $value = config('app.debug', 'true');
?>