codeql/python/ql/src/Security/CWE-215/FlaskDebug.qhelp at sauyon/java-spring-stringutils · ByteDecoder/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
     <overview>
          <p>
              Running a Flask application with debug mode enabled may allow an
              attacker to gain access through the Werkzeug debugger.
          </p>

     </overview>
     <recommendation>

          <p>
               Ensure that Flask applications that are run in a production
               environment have debugging disabled.
          </p>

     </recommendation>
     <example>

          <p>
            Running the following code starts a Flask webserver that has
            debugging enabled. By visiting <code>/crash</code>, it is possible
            to gain access to the debugger, and run arbitrary code through the
            interactive debugger.
          </p>

          <sample src="FlaskDebug.py" />

     </example>

     <references>
       <li>Flask Quickstart Documentation: <a href="http://flask.pocoo.org/docs/1.0/quickstart/#debug-mode">Debug Mode</a>.</li>
       <li>Werkzeug Documentation: <a href="http://werkzeug.pocoo.org/docs/0.14/debug/">Debugging Applications</a>.</li>
     </references>

</qhelp>