python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV
Community Favorite
semgrep
Author
80,216
Download Count*
License
Hardcoded variable ENV
detected. Set this by using FLASK_ENV environment variable
Run Locally
Run in CI
Defintion
rules:
- id: avoid_hardcoded_config_ENV
message: Hardcoded variable `ENV` detected. Set this by using FLASK_ENV
environment variable
severity: WARNING
metadata:
likelihood: LOW
impact: LOW
confidence: LOW
category: security
cwe:
- "CWE-489: Active Debug Code"
owasp:
- A05:2021 - Security Misconfiguration
references:
- https://bento.dev/checks/flask/avoid-hardcoded-config/
- https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values
- https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features
subcategory:
- audit
technology:
- flask
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Active Debug Code
languages:
- python
pattern-either:
- pattern: $M.update(ENV="=~/^development|production$/")
- pattern: $M.config['ENV'] = "=~/^development|production$/"
Examples
hardcoded-config.py
import os
import flask
app = flask.Flask(__name__)
# ruleid: avoid_hardcoded_config_TESTING
app.config["TESTING"] = True
# ruleid: avoid_hardcoded_config_TESTING
app.config["TESTING"] = False
# ruleid: avoid_hardcoded_config_TESTING
app.config.update(TESTING=True)
# ruleid: avoid_hardcoded_config_SECRET_KEY
app.config.update(SECRET_KEY="aaaa")
# ruleid: avoid_hardcoded_config_SECRET_KEY
app.config["SECRET_KEY"] = '_5#y2L"F4Q8z\n\xec]/'
# ruleid: avoid_hardcoded_config_ENV
app.config["ENV"] = "development"
# ruleid: avoid_hardcoded_config_ENV
app.config["ENV"] = "production"
# ruleid: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = True
# ruleid: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = False
# ok: avoid_hardcoded_config_TESTING
app.config["TESTING"] = os.getenv("TESTING")
# ok: avoid_hardcoded_config_TESTING
app.config["TESTING"] = "aa"
# ok: avoid_hardcoded_config_SECRET_KEY
app.config.update(SECRET_KEY=os.getenv("SECRET_KEY"))
# ok: avoid_hardcoded_config_SECRET_KEY
app.config.update(SECRET_KEY=os.environ["SECRET_KEY"])
# ok: avoid_hardcoded_config_ENV
app.config["ENV"] = os.environ["development"]
# ok: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = os.environ["DEBUG"] or True
# ok: avoid_hardcoded_config_DEBUG
app.config["DEBUG"] = os.environ["DEBUG"] or False
Short Link: https://sg.run/7oXW