测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
Shoulder.dev

开发者威胁情报
🐛

Active Debug Code

🛡️ 6 条规则检测到此问题

Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.

Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.

普遍性
频繁被利用
影响
关键
1 条严重级别为关键的规则
预防
已记录
6 个修复示例
2 预防
2 预防

如何修复此漏洞

基于 6 条 Shoulder 检测规则的 Active Debug Code 预防策略。

🐍 Python 查看全部 Python 详情 →
Django Debug Mode in Production CRITICAL

Load DEBUG from environment variables, defaulting to False in production

+4 -2 python 
  # settings.py
- DEBUG = True
- ALLOWED_HOSTS = ['*']
+ import os
+ 
+ DEBUG = os.getenv('DJANGO_DEBUG', 'False').lower() == 'true'
+ ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '').split(',')
Flask Debug Mode in Production HIGH

Load Flask debug mode from environment variables, defaulting to False

+8 -6 python 
- from flask import Flask
- 
- app = Flask(__name__)
- 
- if __name__ == '__main__':
-     app.run(debug=True)
+ import os
+ from flask import Flask
+ 
+ app = Flask(__name__)
+ 
+ if __name__ == '__main__':
+     debug = os.getenv('FLASK_DEBUG', 'False').lower() == 'true'
+     app.run(debug=debug)
🐹 Go 查看全部 Go 详情 →
Echo Debug Mode in Production MEDIUM

Disable Echo debug mode in production to prevent stack trace exposure

+8 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.Debug = true
+ import (
+     "os"
+     "github.com/labstack/echo/v4"
+ )
+ 
+ func main() {
+     e := echo.New()
+     e.Debug = os.Getenv("ECHO_DEBUG") == "true"
      e.GET("/api/users", getUsers)
      e.Start(":8080")
  }
Fiber Debug Mode in Production MEDIUM

Disable Fiber debug output and route printing in production

+3 -2 go 
  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New(fiber.Config{
-         EnablePrintRoutes: true,
-         EnableStackTrace:  true,
+         DisableStartupMessage: true,
+         EnablePrintRoutes:     false,
+         Prefork:               true,
      })
      app.Get("/api/users", getUsers)
      app.Listen(":8080")
  }
Gin Debug Mode in Production MEDIUM

Set Gin to release mode in production to suppress debug output

+9 -4 go 
  package main
  
- import "github.com/gin-gonic/gin"
- 
- func main() {
-     gin.SetMode(gin.DebugMode)
+ import (
+     "os"
+     "github.com/gin-gonic/gin"
+ )
+ 
+ func main() {
+     if os.Getenv("GIN_MODE") == "" {
+         gin.SetMode(gin.ReleaseMode)
+     }
      r := gin.Default()
      r.GET("/api/users", getUsers)
      r.Run(":8080")
  }
🟨 JavaScript 查看全部 JavaScript 详情 →
Debug Mode Enabled in Production MEDIUM

Use environment variables for debug configuration instead of hardcoded flags

+6 -2 javascript 
- const DEBUG = true;
- app.use(morgan('dev'));
+ const DEBUG = process.env.DEBUG === 'true';
+ const isProduction = process.env.NODE_ENV === 'production';
+ 
+ if (!isProduction) {
+   app.use(morgan('dev'));
+ }
4 警告信号
4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Active Debug Code漏洞。在代码审查和安全审计中注意查找。

🟠
Flask applications running with debug mode enabled flask-debug-mode-production
🟡
Debug flag at line ... is hardcoded to true javascript-debug-mode-production
🟡
hardcoded debug flags that expose sensitive information or enable debugging features in production javascript-debug-mode-production
🔴
Django applications with DEBUG = True in settings django-debug-mode-production
🔍

扫描你的代码库: Active Debug Code

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则