fix(security): disable debug by default, escape traceback XSS, gate OpenAPI docs#2024
fix(security): disable debug by default, escape traceback XSS, gate OpenAPI docs#2024namann5 wants to merge 3 commits into
Conversation
…penAPI docs Three related security fixes for information disclosure and XSS: 1. Changed debug default from True to False — production deployments no longer accidentally run with debug enabled (config.py:22) 2. HTML-escaped traceback.format_exc() before embedding in 500 response to prevent Reflected XSS via exception messages containing attacker-controlled content (main.py:293) 3. Gated /docs, /redoc, /openapi.json endpoints behind debug mode — API schema is no longer publicly exposed in production (main.py:171-173) Resolves: utksh1#2022
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f94770a7fb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
utksh1
left a comment
There was a problem hiding this comment.
The secure default is sensible, but this PR currently breaks the fresh-clone smoke check: start.sh starts the backend with debug disabled while CI polls /openapi.json, so the server is healthy but CI times out. Please update the development/startup path (or the health check) so it does not rely on a disabled documentation endpoint, and add focused tests for debug-on/debug-off docs and escaped traceback behavior.
|
@utksh1 Changes are done |
…ack tests Address admin review feedback on PR utksh1#2024: 1. start.sh: Export SECUSCAN_DEBUG=true so the dev server exposes /docs, /redoc, and /openapi.json — fixing the fresh-clone smoke check that was timing out polling /openapi.json. 2. test_config_settings.py: Add focused tests for debug-on/debug-off behavior: - test_docs_disabled_when_debug_false: /docs returns 404 in prod - test_openapi_disabled_when_debug_false: /openapi.json returns 404 - test_docs_enabled_when_debug_true: /docs works when debug on - test_traceback_not_leaked_in_production: exception messages don't leak in plain-text error responses
Summary
Fixes a Critical (CVSS ~8.1) vulnerability where debug mode defaults to enabled and the unhandled exception handler serves full Python tracebacks as raw, unescaped HTML — enabling Reflected XSS and full stack trace information disclosure in production.
Fixes: #2022
Changes
Root Cause
backend/secuscan/config.py:22—debug: bool = Truemeant production deployments could accidentally run with debug enabledbackend/secuscan/main.py:283—traceback.format_exc()was embedded directly into HTML with no escaping (<pre>{traceback.format_exc()}</pre>), allowing XSS if exception messages contain attacker-controlled content/docs,/redoc,/openapi.jsonwere publicly accessible, exposing the full API schemaFix
config.py:22debug: bool = Truetodebug: bool = False(secure-by-default)main.py:293html_mod.escape()aroundtraceback.format_exc()to prevent XSSmain.py:171-173docs_url,redoc_url,openapi_urlbehindsettings.debugmain.py:177-200/api/docs,/api/redoc,/api/openapi.json) behind debug modeSecurity Impact
debug=Trueby defaultdebug=Falseby default/docsalways accessible/docsonly in debug mode/openapi.jsonalways accessible/openapi.jsononly in debug modeConfiguration
Testing
test_settings_default_debugto assertFalsedefaulttest_request_id_middlewarealready handles both debug modesmain