python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly
Community Favorite
semgrep
Author
80,402
Download Count*
License
top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function
Run Locally
Run in CI
Defintion
rules:
- id: avoid_using_app_run_directly
patterns:
- pattern-not-inside: |
if __name__ == '__main__':
...
- pattern-not-inside: |
def $X(...):
...
- pattern: app.run(...)
message: top-level app.run(...) is ignored by flask. Consider putting
app.run(...) behind a guard, like inside a function
metadata:
cwe:
- "CWE-668: Exposure of Resource to Wrong Sphere"
owasp:
- A01:2021 - Broken Access Control
category: security
technology:
- flask
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
languages:
- python
severity: WARNING
Examples
app-run-security-config.py
import Flask
app = Flask(__name__)
def hello():
app.run()
# ruleid:avoid_using_app_run_directly
app.run()
# ruleid:avoid_using_app_run_directly
app.run(debug=True)
if __name__ == '__main__':
app.run()
Short Link: https://sg.run/vz5b