python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG

Community Favorite
profile photo of semgrepsemgrep
Author
80,216
Download Count*
LGPL Commons Clause
License

Hardcoded variable DEBUG detected. Set this by using FLASK_DEBUG environment variable

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: avoid_hardcoded_config_DEBUG
    message: Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG
      environment variable
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: LOW
      confidence: LOW
      category: security
      cwe:
        - "CWE-489: Active Debug Code"
      owasp:
        - A05:2021 - Security Misconfiguration
      references:
        - https://bento.dev/checks/flask/avoid-hardcoded-config/
        - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values
        - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features
      subcategory:
        - audit
      technology:
        - flask
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Active Debug Code
    languages:
      - python
    pattern-either:
      - pattern: $M.update(DEBUG=True)
      - pattern: $M.update(DEBUG=False)
      - pattern: $M.config['DEBUG'] = True
      - pattern: $M.config['DEBUG'] = False

Examples

hardcoded-config.py

import os
import flask
app = flask.Flask(__name__)

# ruleid: avoid_hardcoded_config_TESTING
app.config["TESTING"] = True
# ruleid: avoid_hardcoded_config_TESTING
app.config["TESTING"] = False
# ruleid: avoid_hardcoded_config_TESTING
app.config.update(TESTING=True)

# ruleid: avoid_hardcoded_config_SECRET_KEY
app.config.update(SECRET_KEY="aaaa")
# ruleid: avoid_hardcoded_config_SECRET_KEY
app.config["SECRET_KEY"] = '_5#y2L"F4Q8z\n\xec]/'

# ruleid: avoid_hardcoded_config_ENV
app.config["ENV"] = "development"
# ruleid: avoid_hardcoded_config_ENV
app.config["ENV"] = "production"

# ruleid: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = True
# ruleid: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = False

# ok: avoid_hardcoded_config_TESTING
app.config["TESTING"] = os.getenv("TESTING")
# ok: avoid_hardcoded_config_TESTING
app.config["TESTING"] = "aa"

# ok: avoid_hardcoded_config_SECRET_KEY
app.config.update(SECRET_KEY=os.getenv("SECRET_KEY"))
# ok: avoid_hardcoded_config_SECRET_KEY
app.config.update(SECRET_KEY=os.environ["SECRET_KEY"])

# ok: avoid_hardcoded_config_ENV
app.config["ENV"] = os.environ["development"]

# ok: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = os.environ["DEBUG"] or True
# ok: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = os.environ["DEBUG"] or False