Active Debug Code
The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.
Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.
この脆弱性の修正方法
6 件の Shoulder 検出ルールに基づく Active Debug Code の予防策。
Load DEBUG from environment variables, defaulting to False in production
# settings.py - DEBUG = True - ALLOWED_HOSTS = ['*'] + import os + + DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true' + ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '').split(',')
Load Flask debug mode from environment variables, defaulting to False
- from flask import Flask - - app = Flask(__name__) - - if __name__ == '__main__': - app.run(debug=True) + import os + from flask import Flask + + app = Flask(__name__) + + if __name__ == '__main__': + debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true' + app.run(debug=debug)
Disable Echo debug mode in production to prevent stack trace exposure
package main - import "github.com/labstack/echo/v4" - - func main() { - e := echo.New() - e.Debug = true + import ( + "os" + "github.com/labstack/echo/v4" + ) + + func main() { + e := echo.New() + e.Debug = os.Getenv("ECHO_DEBUG") == "true" e.GET("/api/users", getUsers) e.Start(":8080") }
Disable Fiber debug output and route printing in production
package main import "github.com/gofiber/fiber/v2" func main() { app := fiber.New(fiber.Config{ - EnablePrintRoutes: true, - EnableStackTrace: true, + DisableStartupMessage: true, + EnablePrintRoutes: false, + Prefork: true, }) app.Get("/api/users", getUsers) app.Listen(":8080") }
Set Gin to release mode in production to suppress debug output
package main - import "github.com/gin-gonic/gin" - - func main() { - gin.SetMode(gin.DebugMode) + import ( + "os" + "github.com/gin-gonic/gin" + ) + + func main() { + if os.Getenv("GIN_MODE") == "" { + gin.SetMode(gin.ReleaseMode) + } r := gin.Default() r.GET("/api/users", getUsers) r.Run(":8080") }
Use environment variables for debug configuration instead of hardcoded flags
- const DEBUG = true; - app.use(morgan('dev')); + const DEBUG = process.env.DEBUG === 'true'; + const isProduction = process.env.NODE_ENV === 'production'; + + if (!isProduction) { + app.use(morgan('dev')); + }
コードの脆弱性を見つける
Shoulderを使用してコードのActive Debug Codeパターンをスキャンしましょう。 6 ルール.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=489 # Or scan entire project npx @shoulderdev/cli trust .
検出ルール (6)
コードレビューで注目すべき点
これらのパターンはActive Debug Codeの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。