Flask app is run in debug mode¶

ID: py/flask-debug
Kind: problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-215
   - external/cwe/cwe-489
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Running a Flask application with debug mode enabled may allow an attacker to gain access through the Werkzeug debugger.

Recommendation¶

Ensure that Flask applications that are run in a production environment have debugging disabled.

Example¶

Running the following code starts a Flask webserver that has debugging enabled. By visiting /crash, it is possible to gain access to the debugger, and run arbitrary code through the interactive debugger.

from flask import Flask

app = Flask(__name__)

@app.route('/crash')
def main():
    raise Exception()

app.run(debug=True)

References¶

Flask Quickstart Documentation: Debug Mode.
Werkzeug Documentation: Debugging Applications.
Common Weakness Enumeration: CWE-215.
Common Weakness Enumeration: CWE-489.

© GitHub, Inc.
Terms
Privacy