Information Exposure via FastAPI Debug Mode

PY524

information_exposure

CWE-215

⛔️ Error

🔒 Professional Plan

---

Running FastAPI in debug mode poses several security risks:

1. Detailed Error Messages: Debug mode exposes detailed error traces, which can reveal sensitive information about your application, such as file paths, environment variables, or secret keys.
2. Auto-reload: While useful in development, this feature can inadvertently expose code changes or sensitive data if the server is not properly secured.
3. Increased Attack Surface: Debug mode may expose endpoints or features that are not intended for production, making the application more vulnerable to attacks.
4. Performance Overhead: Debug mode can lead to increased resource usage, making the application slower and potentially exposing performance-related vulnerabilities.

Example

---

Error

from fastapi import FastAPI

app = FastAPI(debug=True)

@app.get("/")
async def read_root():
    return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
    return {"item_id": item_id, "q": q}

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="127.0.0.1", port=8000)

Remediation

---

fix

To avoid this vulnerability, never enable debug mode in production environments. Also ensure that sensitive information is stored securely and not exposed through logs or error messages. Finally, implement proper access controls and firewall rules to restrict who can access the development environment.

from fastapi import FastAPI

app = FastAPI()

@app.get("/")
async def read_root():
    return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
    return {"item_id": item_id, "q": q}

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="127.0.0.1", port=8000)

False Positives

---

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY524) or rule category name (information_exposure).

Using rule ID

fix

from fastapi import FastAPI

# suppress: PY524
app = FastAPI(debug=True)

@app.get("/")
async def read_root():
    return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
    return {"item_id": item_id, "q": q}

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="127.0.0.1", port=8000)

Using category name

fix

from fastapi import FastAPI

# suppress: information_exposure
app = FastAPI(debug=True)

@app.get("/")
async def read_root():
    return {"Hello": "World"}

@app.get("/items/{item_id}")
async def read_item(item_id: int, q: str = None):
    return {"item_id": item_id, "q": q}

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="127.0.0.1", port=8000)

See also

---

info

• FastAPI class - FastAPI
• CWE-215: Insertion of Sensitive Information Into Debugging Code