# Active Debug Code (CWE-489)

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or information leaks.

**Stack:** JavaScript

- Prevalence: 高 频繁被利用
- Impact: 关键 1 条严重级别为关键的规则
- Prevention: 已记录 6 个修复示例

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Debug code is often written to allow easier testing and debugging. This code is not intended to be shipped to production but is sometimes inadvertently left in the product. Debug code often exposes information about the product's internal structure or creates additional attack surface.

## Prevention

基于 1 条 Shoulder 检测规则的 Active Debug Code 预防策略。

### JavaScript

Use environment variables for debug configuration instead of hardcoded flags

## Warning Signs

- [MEDIUM] Debug flag at line ... is hardcoded to true
- [MEDIUM] hardcoded debug flags that expose sensitive information or enable debugging features in production

## Consequences

- 读取应用程序数据
- 绕过保护机制
- 执行未授权代码

## Mitigations

- 在将产品部署到生产环境之前移除调试代码
- 使用能在生产构建中自动排除调试代码的构建配置
- 在发布前审计代码,查找调试端点和后门

## Detection

- Total rules: 6
- Critical: 1
- Languages: python, go, javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **Debug Mode Enabled in Production** [MEDIUM]: Detects hardcoded debug flags that expose sensitive information or enable debugging features in production.
  - Remediation: Use environment variables for debug/development mode configuration.

### Typescript (1 rules)

- **Debug Mode Enabled in Production** [MEDIUM]: Detects hardcoded debug flags that expose sensitive information or enable debugging features in production.
  - Remediation: Use environment variables for debug/development mode configuration.