Skip to main content

Information Exposure via FastAPI Debug Mode​

📐 PY524
đŸˇī¸ information_exposure
â„šī¸ CWE-215
â›”ī¸ Error
🔒 Professional Plan

Running FastAPI in debug mode poses several security risks:

  1. Detailed Error Messages: Debug mode exposes detailed error traces, which can reveal sensitive information about your application, such as file paths, environment variables, or secret keys.
  2. Auto-reload: While useful in development, this feature can inadvertently expose code changes or sensitive data if the server is not properly secured.
  3. Increased Attack Surface: Debug mode may expose endpoints or features that are not intended for production, making the application more vulnerable to attacks.
  4. Performance Overhead: Debug mode can lead to increased resource usage, making the application slower and potentially exposing performance-related vulnerabilities.

Example​

from fastapi import FastAPI

app = FastAPI(debug=True)

@app.get("/")
async def read_root():
return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}

if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)

Remediation​

To avoid this vulnerability, never enable debug mode in production environments. Also ensure that sensitive information is stored securely and not exposed through logs or error messages. Finally, implement proper access controls and firewall rules to restrict who can access the development environment.

from fastapi import FastAPI

app = FastAPI()

@app.get("/")
async def read_root():
return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}

if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)

False Positives​

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY524) or rule category name (information_exposure).

Fix Iconfix
from fastapi import FastAPI

# suppress: PY524
app = FastAPI(debug=True)

@app.get("/")
async def read_root():
return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}

if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)

See also​