php.laravel.security.laravel-active-debug-code.laravel-active-debug-code
returntocorpAuthor
unknown
Download Count*
License
Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.
Run Locally
Run in CI
Defintion
rules:
- id: laravel-active-debug-code
patterns:
- pattern-either:
- pattern: |
putenv("APP_DEBUG=true")
- pattern: |
config(['app.debug' => 'true'])
- pattern: |
$_ENV["APP_DEBUG"] = 'true'
message: Found an instance setting the APP_DEBUG environment variable to true.
In your production environment, this should always be false. Otherwise,
you risk exposing sensitive configuration values to potential attackers.
Instead, set this to false.
languages:
- php
severity: ERROR
metadata:
category: security
cwe:
- "CWE-489: Active Debug Code"
owasp:
- A05:2021 - Security Misconfiguration
technology:
- php
- laravel
references:
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
- https://laravel.com/docs/9.x/configuration
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
laravel-active-debug-code.php
<?php
// ruleid: laravel-active-debug-code
config(['app.debug' => 'true']);
// ruleid: laravel-active-debug-code
putenv("APP_DEBUG=true");
// ruleid: laravel-active-debug-code
$_ENV['APP_DEBUG'] = 'true';
// ok: laravel-active-debug-code
config(['app.debug' => 'false']);
// ok: laravel-active-debug-code
putenv("APP_DEBUG=false");
// ok: laravel-active-debug-code
$_ENV['APP_DEBUG'] = 'false';
// this is ok because it retrieves the value from the env file instead of setting it directly.
// ok: laravel-active-debug-code
$value = config('app.debug', 'true');
?>
Short Link: https://sg.run/3G3D