python.flask.security.audit.debug-enabled.debug-enabled
Community Favorite
semgrep
Author
48,169
Download Count*
License
Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.
Run Locally
Run in CI
Defintion
rules:
- id: debug-enabled
patterns:
- pattern-inside: |
import flask
...
- pattern: $APP.run(..., debug=True, ...)
message: Detected Flask app with debug=True. Do not deploy to production with
this flag enabled as it will leak sensitive information. Instead, consider
using Flask configuration variables or setting 'debug' using system
environment variables.
metadata:
cwe:
- "CWE-489: Active Debug Code"
owasp: A06:2017 - Security Misconfiguration
references:
- https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
category: security
technology:
- flask
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Active Debug Code
severity: WARNING
languages:
- python
Examples
debug-enabled.py
from flask import Flask
app = Flask(__name__)
@app.route('/')
def index():
return flask.jsonify({"response": "ok"})
def main():
# ok:debug-enabled
app.run()
def env():
# ok:debug-enabled
app.run("0.0.0.0", debug=os.environ.get("DEBUG", False))
if __name__ == "__main__":
# ruleid:debug-enabled
app.run("0.0.0.0", debug=True)
Short Link: https://sg.run/dKrd