BETA O Shoulder está em beta — Os resultados às vezes podem estar incorretos. Seu feedback molda o que corrigimos a seguir. Compartilhar feedback
🐛

Active Debug Code

🛡️ 6 regras detectam isto

Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.

Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.

Prevalência
Alta
Frequentemente explorada
Impacto
Crítico
1 regras de severidade crítica
Prevenção
Documentada
6 exemplos de correção
2 Prevenção
2 Prevenção

Como corrigir esta vulnerabilidade

Estratégias de prevenção para Active Debug Code baseadas em 6 regras de detecção do Shoulder.

Django Debug Mode in Production CRITICAL

Load DEBUG from environment variables, defaulting to False in production

+4 -2 python
  # settings.py
- DEBUG = True
- ALLOWED_HOSTS = ['*']
+ import os
+ 
+ DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true'
+ ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '').split(',')
  
Flask Debug Mode in Production HIGH

Load Flask debug mode from environment variables, defaulting to False

+8 -6 python
- from flask import Flask
- 
- app = Flask(__name__)
- 
- if __name__ == '__main__':
-     app.run(debug=True)
+ import os
+ from flask import Flask
+ 
+ app = Flask(__name__)
+ 
+ if __name__ == '__main__':
+     debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true'
+     app.run(debug=debug)
  
Echo Debug Mode in Production MEDIUM

Disable Echo debug mode in production to prevent stack trace exposure

+8 -5 go
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.Debug = true
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     e.Debug = os.Getenv("ECHO_DEBUG") == "true"
      e.GET("/api/users", getUsers)
      e.Start(":8080")
  }
  
Fiber Debug Mode in Production MEDIUM

Disable Fiber debug output and route printing in production

+3 -2 go
  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New(fiber.Config{
-         EnablePrintRoutes: true,
-         EnableStackTrace:  true,
+         DisableStartupMessage: true,
+         EnablePrintRoutes:     false,
+         Prefork:               true,
      })
      app.Get("/api/users", getUsers)
      app.Listen(":8080")
  }
  
Gin Debug Mode in Production MEDIUM

Set Gin to release mode in production to suppress debug output

+9 -4 go
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     gin.SetMode(gin.DebugMode)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+ )
+ 
+ func main() {
+     if os.Getenv("GIN_MODE") == "" {
+         gin.SetMode(gin.ReleaseMode)
+     }
      r := gin.Default()
      r.GET("/api/users", getUsers)
      r.Run(":8080")
  }
  
Debug Mode Enabled in Production MEDIUM

Use environment variables for debug configuration instead of hardcoded flags

+6 -2 javascript
- const DEBUG = true;
- app.use(morgan('dev'));
+ const DEBUG = process.env.DEBUG === 'true';
+ const isProduction = process.env.NODE_ENV === 'production';
+ 
+ if (!isProduction) {
+   app.use(morgan('dev'));
+ }
  
3 Detecção
3 Detecção
4 Sinais de Alerta
4 Sinais de Alerta

O que observar nas revisões de código

Estes padrões indicam vulnerabilidades potenciais de Active Debug Code. Procure-os durante revisões de código e auditorias de segurança.

🟠
Flask applications running with debug mode enabled flask-debug-mode-production
🟡
Debug flag at line ... is hardcoded to true javascript-debug-mode-production
🟡
hardcoded debug flags that expose sensitive information or enable debugging features in production javascript-debug-mode-production
🔴
Django applications with DEBUG = True in settings django-debug-mode-production
🔍

Escaneie seu código para Active Debug Code

O Shoulder CLI encontra padrões vulneráveis em todo o seu código.