# Active Debug Code (CWE-489) The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks. - Prevalence: 높음 자주 악용됨 - Impact: 치명적 1개의 치명적 심각도 규칙 - Prevention: 문서화됨 6개의 수정 예시 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface. ## Prevention 6개의 Shoulder 탐지 규칙을 기반으로 한 Active Debug Code 예방 전략. ### Python Load DEBUG from environment variables, defaulting to False in production Load Flask debug mode from environment variables, defaulting to False ### Go Disable Echo debug mode in production to prevent stack trace exposure Disable Fiber debug output and route printing in production Set Gin to release mode in production to suppress debug output ### JavaScript Use environment variables for debug configuration instead of hardcoded flags ## Warning Signs - [HIGH] Flask applications running with debug mode enabled - [MEDIUM] Debug flag at line ... is hardcoded to true - [MEDIUM] hardcoded debug flags that expose sensitive information or enable debugging features in production - [CRITICAL] Django applications with DEBUG = True in settings ## Consequences - 애플리케이션 데이터 읽기 - 보호 메커니즘 우회 - 승인되지 않은 코드 실행 ## Mitigations - 운영 환경에 배포하기 전에 디버깅 코드를 제거하세요 - 운영 빌드에서 디버그 코드를 자동으로 제외하는 빌드 구성을 사용하세요 - 릴리스 전에 디버그 엔드포인트와 백도어가 있는지 코드를 감사하세요 ## Detection - Total rules: 6 - Critical: 1 - Languages: python, go, javascript, typescript ## Rules by Language ### Go (3 rules) - **Echo Debug Mode in Production** [MEDIUM]: Echo debug mode exposes stack traces and verbose errors in production. - Remediation: Disable debug mode in production. ```go e := echo.New() e.Debug = false ``` Learn more: https://shoulder.dev/learn/go/cwe-489/debug-mode - **Fiber Debug Mode in Production** [MEDIUM]: Fiber debug configuration exposes route structure and stack traces. - Remediation: Use production configuration to disable debug output. ```go app := fiber.New(fiber.Config{ DisableStartupMessage: true, EnablePrintRoutes: false, }) ``` Learn more: https://shoulder.dev/learn/go/cwe-489/debug-mode - **Gin Debug Mode in Production** [MEDIUM]: Gin debug mode exposes routing info and verbose errors in production. - Remediation: Set release mode before creating the router. ```go gin.SetMode(gin.ReleaseMode) r := gin.Default() ``` Learn more: https://shoulder.dev/learn/go/cwe-489/debug-mode ### Python (2 rules) - **Django Debug Mode in Production** [CRITICAL]: Detects Django applications with DEBUG = True in settings. Debug mode exposes sensitive information including settings, environment variables, SQL queries, and stack traces. This must NEVER be enabled in production. - Remediation: Load DEBUG from environment variables, defaulting to False. ```python import os DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true' ALLOWED_HOSTS = ['example.com', 'www.example.com'] ``` Learn more: https://shoulder.dev/learn/python/cwe-489/debug-mode - **Flask Debug Mode in Production** [HIGH]: Detects Flask applications running with debug mode enabled. Debug mode exposes sensitive information, allows code execution through the interactive debugger, and should NEVER be enabled in production. - Remediation: Load debug mode from environment variables, defaulting to False. ```python import os from flask import Flask app = Flask(__name__) if __name__ == '__main__': debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true' app.run(debug=debug) ``` Learn more: https://shoulder.dev/learn/python/cwe-489/debug-mode ### Javascript (1 rules) - **Debug Mode Enabled in Production** [MEDIUM]: Detects hardcoded debug flags that expose sensitive information or enable debugging features in production. - Remediation: Use environment variables for debug/development mode configuration. ### Typescript (1 rules) - **Debug Mode Enabled in Production** [MEDIUM]: Detects hardcoded debug flags that expose sensitive information or enable debugging features in production. - Remediation: Use environment variables for debug/development mode configuration.