Active Debug Code (CWE-489) - Security Vulnerability

Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.

Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.

Rozpowszechnienie

Wysoka

Często wykorzystywana

Wplyw

Krytyczny

1 reguł o krytycznym poziomie

Zapobieganie

Udokumentowane

6 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla Active Debug Code oparte na 6 regułach detekcji Shoulder.

🐍 Python Zobacz wszystko Python szczegóły →

Django Debug Mode in Production CRITICAL

Load DEBUG from environment variables, defaulting to False in production

+4 -2 python

  # settings.py
- DEBUG = True
- ALLOWED_HOSTS = ['*']
+ import os
+ 
+ DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true'
+ ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '').split(',')

Flask Debug Mode in Production HIGH

Load Flask debug mode from environment variables, defaulting to False

+8 -6 python

- from flask import Flask
- 
- app = Flask(__name__)
- 
- if __name__ == '__main__':
-     app.run(debug=True)
+ import os
+ from flask import Flask
+ 
+ app = Flask(__name__)
+ 
+ if __name__ == '__main__':
+     debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true'
+     app.run(debug=debug)

🐹 Go Zobacz wszystko Go szczegóły →

Echo Debug Mode in Production MEDIUM

Disable Echo debug mode in production to prevent stack trace exposure

+8 -5 go

  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.Debug = true
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     e.Debug = os.Getenv("ECHO_DEBUG") == "true"
      e.GET("/api/users", getUsers)
      e.Start(":8080")
  }

Fiber Debug Mode in Production MEDIUM

Disable Fiber debug output and route printing in production

+3 -2 go

  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New(fiber.Config{
-         EnablePrintRoutes: true,
-         EnableStackTrace:  true,
+         DisableStartupMessage: true,
+         EnablePrintRoutes:     false,
+         Prefork:               true,
      })
      app.Get("/api/users", getUsers)
      app.Listen(":8080")
  }

Gin Debug Mode in Production MEDIUM

Set Gin to release mode in production to suppress debug output

+9 -4 go

  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     gin.SetMode(gin.DebugMode)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+ )
+ 
+ func main() {
+     if os.Getenv("GIN_MODE") == "" {
+         gin.SetMode(gin.ReleaseMode)
+     }
      r := gin.Default()
      r.GET("/api/users", getUsers)
      r.Run(":8080")
  }

🟨 JavaScript Zobacz wszystko JavaScript szczegóły →

Debug Mode Enabled in Production MEDIUM

Use environment variables for debug configuration instead of hardcoded flags

+6 -2 javascript

- const DEBUG = true;
- app.use(morgan('dev'));
+ const DEBUG = process.env.DEBUG === 'true';
+ const isProduction = process.env.NODE_ENV === 'production';
+ 
+ if (!isProduction) {
+   app.use(morgan('dev'));
+ }

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Active Debug Code. 6 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=489

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (6)

🐹 Go 3 rules

Echo Debug Mode in Production MEDIUM

Echo debug mode exposes stack traces and verbose errors in production.

Fiber Debug Mode in Production MEDIUM

Fiber debug configuration exposes route structure and stack traces.

Gin Debug Mode in Production MEDIUM

Gin debug mode exposes routing info and verbose errors in production.

🐍 Python 2 rules

Django Debug Mode in Production CRITICAL

Detects Django applications with DEBUG = True in settings. Debug mode exposes sensitive information including settings, environment variables, SQL queries, and stack traces. This must NEVER be enabled in production.

Flask Debug Mode in Production HIGH

Detects Flask applications running with debug mode enabled. Debug mode exposes sensitive information, allows code execution through the interactive debugger, and should NEVER be enabled in production.

🟨 Javascript 1 rules

Debug Mode Enabled in Production MEDIUM

Detects hardcoded debug flags that expose sensitive information or enable debugging features in production.

🔷 Typescript 1 rules

Debug Mode Enabled in Production MEDIUM

Detects hardcoded debug flags that expose sensitive information or enable debugging features in production.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Active Debug Code. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠

Flask applications running with debug mode enabled flask-debug-mode-production

🟡

Debug flag at line ... is hardcoded to true javascript-debug-mode-production

🟡

hardcoded debug flags that expose sensitive information or enable debugging features in production javascript-debug-mode-production

🔴

Django applications with DEBUG = True in settings django-debug-mode-production

🔍

Przeskanuj swój kod w poszukiwaniu Active Debug Code

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły