Flask app is run in debug mode¶

ID: py/flask-debug
Kind: problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-215
   - external/cwe/cwe-489
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Running a Flask application with debug mode enabled may allow an attacker to gain access through the Werkzeug debugger.

Recommendation¶

Ensure that Flask applications that are run in a production environment have debugging disabled.

Example¶

Running the following code starts a Flask webserver that has debugging enabled. By visiting /crash, it is possible to gain access to the debugger, and run arbitrary code through the interactive debugger.

from flask import Flask

app = Flask(__name__)

@app.route('/crash')
def main():
    raise Exception()

app.run(debug=True)

References¶

Flask Quickstart Documentation: Debug Mode.
Werkzeug Documentation: Debugging Applications.
Common Weakness Enumeration: CWE-215.
Common Weakness Enumeration: CWE-489.

© GitHub, Inc.
Terms
Privacy

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy