Flask Unsafe Configuration

ID

python.flask_unsafe_configuration

Severity

high

Resource

Misconfiguration

Language

Python

Tags

CWE:489, CWE:798, NIST.SP.800-53, OWASP:2021:A5, OWASP:2021:A7, PCI-DSS:6.5.6, flask

Description

Unsafe configurations in Flask can lead to security vulnerabilities.

Rationale

Some of the Flask configurations may lead to security vulnerabilities:

  • debug: When enabled it may lead to sensitive information exposure.

  • checkHardcodedSecret: When a secret key is hardcoded it may expose the application to security risks if the key is leaked.

Here is a vulnerable code example for Flask:

from flask import Flask

app = Flask(__name__)
app.secret_key = 'the random string' # FLAW

if __name__ == '__main__':
    app.run(debug=True) # FLAW

Remediation

The sanitized version of the previous example would look like this:

import os

from flask import Flask

app = Flask(__name__)
app.secret_key = os.environ.get('FLASK_SECRET_KEY')

if __name__ == '__main__':
    app.run()

Configuration

The detector has the following configurable parameters:

  • checkDebug, that indicates if the debug configuration must be checked.

  • checkHardcodedSecret, that indicates if the hardcoded secret must be checked.

References