Home Explore Help
Sign In
sintez
/
py_task
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 609422c2ac
Branches Tags
py_task
/
venv
/
lib
/
python3.9
/
site-packages
/
bandit
/
plugins
/
app_debug.py

app_debug.py 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. #
    2. 

  2. # Copyright 2015 Hewlett-Packard Development Company, L.P.
    3. 

  3. #
    4. 

  4. # SPDX-License-Identifier: Apache-2.0
    5. 

  5. r"""
    6. 

  6. ======================================================
    7. 

  7. B201: Test for use of flask app with debug set to true
    8. 

  8. ======================================================
    9. 

  9. 

  10. Running Flask applications in debug mode results in the Werkzeug debugger
    11. 

  11. being enabled. This includes a feature that allows arbitrary code execution.
    12. 

  12. Documentation for both Flask [1]_ and Werkzeug [2]_ strongly suggests that
    13. 

  13. debug mode should never be enabled on production systems.
    14. 

  14. 

  15. Operating a production server with debug mode enabled was the probable cause
    16. 

  16. of the Patreon breach in 2015 [3]_.
    17. 

  17. 

  18. :Example:
    19. 

  19. 

  20. .. code-block:: none
    21. 

  21. 

  22.     >> Issue: A Flask app appears to be run with debug=True, which exposes
    23. 

  23.     the Werkzeug debugger and allows the execution of arbitrary code.
    24. 

  24.        Severity: High   Confidence: High
    25. 

  25.        CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html)
    26. 

  26.        Location: examples/flask_debug.py:10
    27. 

  27.     9 #bad
    28. 

  28.     10    app.run(debug=True)
    29. 

  29.     11
    30. 

  30. 

  31. .. seealso::
    32. 

  32. 

  33.  .. [1] https://flask.palletsprojects.com/en/1.1.x/quickstart/#debug-mode
    34. 

  34.  .. [2] https://werkzeug.palletsprojects.com/en/1.0.x/debug/
    35. 

  35.  .. [3] https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
    36. 

  36.  .. https://cwe.mitre.org/data/definitions/94.html
    37. 

  37. 

  38. .. versionadded:: 0.15.0
    39. 

  39. 

  40. .. versionchanged:: 1.7.3
    41. 

  41.     CWE information added
    42. 

  42. 

  43. """  # noqa: E501
    44. 

  44. import bandit
    45. 

  45. from bandit.core import issue
    46. 

  46. from bandit.core import test_properties as test
    47. 

  47. 

  48. 

  49. @test.test_id("B201")
    50. 

  50. @test.checks("Call")
    51. 

  51. def flask_debug_true(context):
    52. 

  52.     if context.is_module_imported_like("flask"):
    53. 

  53.         if context.call_function_name_qual.endswith(".run"):
    54. 

  54.             if context.check_call_arg_value("debug", "True"):
    55. 

  55.                 return bandit.Issue(
    56. 

  56.                     severity=bandit.HIGH,
    57. 

  57.                     confidence=bandit.MEDIUM,
    58. 

  58.                     cwe=issue.Cwe.CODE_INJECTION,
    59. 

  59.                     text="A Flask app appears to be run with debug=True, "
    60. 

  60.                     "which exposes the Werkzeug debugger and allows "
    61. 

  61.                     "the execution of arbitrary code.",
    62. 

  62.                     lineno=context.get_lineno_for_call_arg("debug"),
    63. 

  63.                 )
    64.