Information Exposure via FastAPI Debug Mode
PY524
information_exposure
CWE-215
⛔️ Error
🔒 Professional Plan
Running FastAPI in debug mode poses several security risks:
- Detailed Error Messages: Debug mode exposes detailed error traces, which can reveal sensitive information about your application, such as file paths, environment variables, or secret keys.
- Auto-reload: While useful in development, this feature can inadvertently expose code changes or sensitive data if the server is not properly secured.
- Increased Attack Surface: Debug mode may expose endpoints or features that are not intended for production, making the application more vulnerable to attacks.
- Performance Overhead: Debug mode can lead to increased resource usage, making the application slower and potentially exposing performance-related vulnerabilities.
Example
from fastapi import FastAPI
app = FastAPI(debug=True)
@app.get("/")
async def read_root():
return {"Hello": "World"}
@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)
Remediation
To avoid this vulnerability, never enable debug mode in production environments. Also ensure that sensitive information is stored securely and not exposed through logs or error messages. Finally, implement proper access controls and firewall rules to restrict who can access the development environment.
from fastapi import FastAPI
app = FastAPI()
@app.get("/")
async def read_root():
return {"Hello": "World"}
@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY524
) or
rule category name (information_exposure
).
- Using rule ID
- Using category name
fix
from fastapi import FastAPI
# suppress: PY524
app = FastAPI(debug=True)
@app.get("/")
async def read_root():
return {"Hello": "World"}
@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)
fix
from fastapi import FastAPI
# suppress: information_exposure
app = FastAPI(debug=True)
@app.get("/")
async def read_root():
return {"Hello": "World"}
@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
return {"item_id": item_id, "q": q}
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="127.0.0.1", port=8000)