flask-debug-true (S201)

Added in v0.2.0 · Related issues · View source

Derived from the flake8-bandit linter.

What it does

Checks for uses of debug=True in Flask.

Enabling debug mode shows an interactive debugger in the browser if an error occurs, and allows running arbitrary Python code from the browser. This could leak sensitive information, or allow an attacker to run arbitrary code.

Example

from flask import Flask

app = Flask()

app.run(debug=True)

Use instead:

import os

from flask import Flask

app = Flask()

app.run(debug=os.environ["ENV"] == "dev")

References

Flask documentation: Debug Mode

flask-debug-true (S201)

What it does

Why is this bad?

Example

References