python.flask.security.audit.debug-enabled.debug-enabled

Community Favorite
profile photo of semgrepsemgrep
Author
48,169
Download Count*
LGPL Commons Clause
License

Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: debug-enabled
    patterns:
      - pattern-inside: |
          import flask
          ...
      - pattern: $APP.run(..., debug=True, ...)
    message: Detected Flask app with debug=True. Do not deploy to production with
      this flag enabled as it will leak sensitive information. Instead, consider
      using Flask configuration variables or setting 'debug' using system
      environment variables.
    metadata:
      cwe:
        - "CWE-489: Active Debug Code"
      owasp: A06:2017 - Security Misconfiguration
      references:
        - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
      category: security
      technology:
        - flask
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Active Debug Code
    severity: WARNING
    languages:
      - python

Examples

debug-enabled.py

from flask import Flask

app = Flask(__name__)

@app.route('/')
def index():
    return flask.jsonify({"response": "ok"})

def main():
    # ok:debug-enabled
    app.run()

def env():
    # ok:debug-enabled
    app.run("0.0.0.0", debug=os.environ.get("DEBUG", False))

if __name__ == "__main__":
    # ruleid:debug-enabled
    app.run("0.0.0.0", debug=True)