Twig No Use Debug
ID |
php.twig_no_use_debug |
Severity |
high |
Resource |
Information Leak |
Language |
Php |
Tags |
CWE:359, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3, symfony, twig |
Description
This rule checks for the use of the "debug" mode in Twig templates, which can expose sensitive data and information leaks.
Rationale
Twig’s debug mode is typically used during development for enhanced templating error messages and debugging support.
However, enabling debug mode in a production environment can lead to information leaks, as it might expose sensitive internal data, application logic, and other vulnerabilities.
<table>
<tr>
<th>Username</th>
<th>Email</th>
</tr>
{% for user in users %}
{{ dump(user) }} <!-- FLAW -->
<tr>
<td>{{user.user_name}}</td>
<td>{{user.email}}</td>
</tr>
{% endfor %}
</table>%Remediation
By ensuring the 'debug' mode is not being used you mitigate the risk of inadvertently exposing sensitive information.
References
-
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor.