B201: flask_debug_true¶

B201: Test for use of flask app with debug set to true¶

Running Flask applications in debug mode results in the Werkzeug debugger being enabled. This includes a feature that allows arbitrary code execution. Documentation for both Flask [1] and Werkzeug [2] strongly suggests that debug mode should never be enabled on production systems.

Operating a production server with debug mode enabled was the probable cause of the Patreon breach in 2015 [3].

Example:

>> Issue: A Flask app appears to be run with debug=True, which exposes
the Werkzeug debugger and allows the execution of arbitrary code.
   Severity: High   Confidence: High
      Location: examples/flask_debug.py:10
      9 #bad
      10    app.run(debug=True)
      11

See also

[1]	http://flask.pocoo.org/docs/0.10/quickstart/#debug-mode

[2]	http://werkzeug.pocoo.org/docs/0.10/debug/

[3]	http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug # noqa

New in version 0.15.0.

Table Of Contents

B201: flask_debug_true
- B201: Test for use of flask app with debug set to true

Previous topic

B111: execute_with_run_as_root_equals_true

Next topic

B104: hardcoded_bind_all_interfaces

Project Source

This Page