# Active Debug Code (CWE-489)

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.

**Stack:** Python

- Prevalence: Élevée Fréquemment exploitée
- Impact: Critique 1 règles de sévérité critique
- Prevention: Documentée 6 exemples de correctifs

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.

## Prevention

Stratégies de prévention pour Active Debug Code basées sur 2 règles de détection Shoulder.

### Python

Load DEBUG from environment variables, defaulting to False in production

Load Flask debug mode from environment variables, defaulting to False

## Warning Signs

- [HIGH] Flask applications running with debug mode enabled
- [CRITICAL] Django applications with DEBUG = True in settings

## Consequences

- Lecture des données de l'application
- Contourner le mécanisme de protection
- Exécuter du code non autorisé

## Mitigations

- Supprimez le code de débogage avant de déployer le produit en production
- Utilisez des configurations de build qui excluent automatiquement le code de débogage des builds de production
- Auditez le code à la recherche de points de terminaison de débogage et de portes dérobées avant la mise en production

## Detection

- Total rules: 6
- Critical: 1
- Languages: python, go, javascript, typescript

## Rules by Language

### Python (2 rules)

- **Django Debug Mode in Production** [CRITICAL]: Detects Django applications with DEBUG = True in settings. Debug mode exposes
sensitive information including settings, environment variables, SQL queries,
and stack traces. This must NEVER be enabled in production.
  - Remediation: Load DEBUG from environment variables, defaulting to False.

```python
import os

DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true'
ALLOWED_HOSTS = ['example.com', 'www.example.com']
```

Learn more: https://shoulder.dev/learn/python/cwe-489/debug-mode
- **Flask Debug Mode in Production** [HIGH]: Detects Flask applications running with debug mode enabled. Debug mode exposes
sensitive information, allows code execution through the interactive debugger,
and should NEVER be enabled in production.
  - Remediation: Load debug mode from environment variables, defaulting to False.

```python
import os
from flask import Flask

app = Flask(__name__)

if __name__ == '__main__':
    debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true'
    app.run(debug=debug)
```

Learn more: https://shoulder.dev/learn/python/cwe-489/debug-mode