Flask app is run in debug mode¶
ID: py/flask-debugKind: problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-215 - external/cwe/cwe-489Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
Running a Flask application with debug mode enabled may allow an attacker to gain access through the Werkzeug debugger.
Recommendation¶
Ensure that Flask applications that are run in a production environment have debugging disabled.
Example¶
Running the following code starts a Flask webserver that has debugging enabled. By visiting/crash, it is possible to gain access to the debugger, and run arbitrary code through the interactive debugger.
fromflaskimportFlaskapp=Flask(__name__)@app.route('/crash')defmain():raiseException()app.run(debug=True)
References¶
Flask Quickstart Documentation:Debug Mode.
Werkzeug Documentation:Debugging Applications.
Common Weakness Enumeration:CWE-215.
Common Weakness Enumeration:CWE-489.