Skip to main content

Information Exposure via FastAPI Debug Mode

PY524
information_exposure
CWE-215
⛔️ Error
🔒 Professional Plan

Running FastAPI in debug mode poses several security risks:

  1. Detailed Error Messages: Debug mode exposes detailed error traces, which can reveal sensitive information about your application, such as file paths, environment variables, or secret keys.
  2. Auto-reload: While useful in development, this feature can inadvertently expose code changes or sensitive data if the server is not properly secured.
  3. Increased Attack Surface: Debug mode may expose endpoints or features that are not intended for production, making the application more vulnerable to attacks.
  4. Performance Overhead: Debug mode can lead to increased resource usage, making the application slower and potentially exposing performance-related vulnerabilities.

Example

from fastapi import FastAPI

app = FastAPI(debug=True)

@app.get("/")
async def read_root():
return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}

if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)

Remediation

To avoid this vulnerability, never enable debug mode in production environments. Also ensure that sensitive information is stored securely and not exposed through logs or error messages. Finally, implement proper access controls and firewall rules to restrict who can access the development environment.

from fastapi import FastAPI

app = FastAPI()

@app.get("/")
async def read_root():
return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}

if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY524) or rule category name (information_exposure).

Fix Iconfix
from fastapi import FastAPI

# suppress: PY524
app = FastAPI(debug=True)

@app.get("/")
async def read_root():
return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}

if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)

See also