Code Injection in Flask App Configβ
PY507
code_injection
CWE-94
βοΈ Error
π Professional Plan
Using the Flask app with debug mode set to True in a production
environment is considered bad for several reasons:
- Security Risk: Debug mode provides detailed error pages with stack traces and environment variable information when exceptions occur. This information can reveal sensitive data and application internals to potential attackers.
- Performance Issues: Debug mode may affect the performance of your Flask app. Itβs designed for development, not optimized for production traffic.
- Automatic Reloading: Flaskβs debug mode includes a feature that automatically reloads the application when it detects a code change. This is helpful during development but can be disruptive and unpredictable in a production environment.
- Exposes Development Tools: Debug mode can enable interactive debugging tools (like the Werkzeug debugger), which can be a major security vulnerability if exposed publicly.
- Lack of Logging: Relying on debug mode means you might not have proper logging set up, which is essential for monitoring and troubleshooting production applications.
Exampleβ
from flask import Flask
app = Flask(__name__)
app.run(debug=True)
Remediationβ
To avoid this vulnerability, either set the keyword argument of debug to
False or avoid passing a debug keyword whenever the intended code is for
production use.
from flask import Flask
app = Flask(__name__)
app.run(debug=False)
False Positivesβ
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY507) or
rule category name (code_injection).
- Using rule ID
- Using category name
fix
from flask import Flask
app = Flask(__name__)
# suppress: PY507
app.run(debug=True)
fix
from flask import Flask
app = Flask(__name__)
# suppress: code_injection
app.run(debug=True)