# Active Debug Code (CWE-489) The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks. **Stack:** Python - Prevalence: Wysoka Często wykorzystywana - Impact: Krytyczny 1 reguł o krytycznym poziomie - Prevention: Udokumentowane 6 przykładów poprawek **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface. ## Prevention Strategie zapobiegania dla Active Debug Code oparte na 2 regułach detekcji Shoulder. ### Python Load DEBUG from environment variables, defaulting to False in production Load Flask debug mode from environment variables, defaulting to False ## Warning Signs - [HIGH] Flask applications running with debug mode enabled - [CRITICAL] Django applications with DEBUG = True in settings ## Consequences - Odczyt danych aplikacji - Obejście mechanizmu ochrony - Wykonanie nieautoryzowanego kodu ## Mitigations - Usuń kod debugujący przed wdrożeniem produktu na produkcję - Stosuj konfiguracje build, które automatycznie wykluczają kod debugowy z buildów produkcyjnych - Przed wydaniem audytuj kod pod kątem endpointów debugowych i tylnych furtek ## Detection - Total rules: 6 - Critical: 1 - Languages: python, go, javascript, typescript ## Rules by Language ### Python (2 rules) - **Django Debug Mode in Production** [CRITICAL]: Detects Django applications with DEBUG = True in settings. Debug mode exposes sensitive information including settings, environment variables, SQL queries, and stack traces. This must NEVER be enabled in production. - Remediation: Load DEBUG from environment variables, defaulting to False. ```python import os DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true' ALLOWED_HOSTS = ['example.com', 'www.example.com'] ``` Learn more: https://shoulder.dev/learn/python/cwe-489/debug-mode - **Flask Debug Mode in Production** [HIGH]: Detects Flask applications running with debug mode enabled. Debug mode exposes sensitive information, allows code execution through the interactive debugger, and should NEVER be enabled in production. - Remediation: Load debug mode from environment variables, defaulting to False. ```python import os from flask import Flask app = Flask(__name__) if __name__ == '__main__': debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true' app.run(debug=debug) ``` Learn more: https://shoulder.dev/learn/python/cwe-489/debug-mode