# Active Debug Code (CWE-489)

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.

**Stack:** JavaScript

- Prevalence: 高 頻繁に悪用される
- Impact: クリティカル 1 件の重大度クリティカルなルール
- Prevention: 文書化済み 6 件の修正例

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.

## Prevention

1 件の Shoulder 検出ルールに基づく Active Debug Code の予防策。

### JavaScript

Use environment variables for debug configuration instead of hardcoded flags

## Warning Signs

- [MEDIUM] Debug flag at line ... is hardcoded to true
- [MEDIUM] hardcoded debug flags that expose sensitive information or enable debugging features in production

## Consequences

- アプリケーションデータの読み取り
- 保護メカニズムの回避
- 未承認コードの実行

## Mitigations

- 本番デプロイ前にデバッグコードを削除する
- 本番ビルドからデバッグコードを自動的に除外するビルド構成を使用する
- リリース前にデバッグエンドポイントやバックドアがないかコードを監査する

## Detection

- Total rules: 6
- Critical: 1
- Languages: python, go, javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **Debug Mode Enabled in Production** [MEDIUM]: Detects hardcoded debug flags that expose sensitive information or enable debugging features in production.
  - Remediation: Use environment variables for debug/development mode configuration.

### Typescript (1 rules)

- **Debug Mode Enabled in Production** [MEDIUM]: Detects hardcoded debug flags that expose sensitive information or enable debugging features in production.
  - Remediation: Use environment variables for debug/development mode configuration.