Skip to content

fix(security): disable debug by default, escape traceback XSS, gate OpenAPI docs#2024

Open
namann5 wants to merge 3 commits into
utksh1:mainfrom
namann5:fix/debug-mode-xss-stack-trace-disclosure
Open

fix(security): disable debug by default, escape traceback XSS, gate OpenAPI docs#2024
namann5 wants to merge 3 commits into
utksh1:mainfrom
namann5:fix/debug-mode-xss-stack-trace-disclosure

Conversation

@namann5

@namann5 namann5 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes a Critical (CVSS ~8.1) vulnerability where debug mode defaults to enabled and the unhandled exception handler serves full Python tracebacks as raw, unescaped HTML — enabling Reflected XSS and full stack trace information disclosure in production.

Fixes: #2022

Changes

Root Cause

  1. backend/secuscan/config.py:22debug: bool = True meant production deployments could accidentally run with debug enabled
  2. backend/secuscan/main.py:283traceback.format_exc() was embedded directly into HTML with no escaping (<pre>{traceback.format_exc()}</pre>), allowing XSS if exception messages contain attacker-controlled content
  3. /docs, /redoc, /openapi.json were publicly accessible, exposing the full API schema

Fix

# File Change
1 config.py:22 Changed debug: bool = True to debug: bool = False (secure-by-default)
2 main.py:293 Added html_mod.escape() around traceback.format_exc() to prevent XSS
3 main.py:171-173 Gated docs_url, redoc_url, openapi_url behind settings.debug
4 main.py:177-200 Gated redirect endpoints (/api/docs, /api/redoc, /api/openapi.json) behind debug mode

Security Impact

Before After
debug=True by default debug=False by default
Raw traceback in HTML (XSS) HTML-escaped traceback
/docs always accessible /docs only in debug mode
/openapi.json always accessible /openapi.json only in debug mode

Configuration

# Production (default) — safe
# No configuration needed

# Development — enable debug features
SECUSCAN_DEBUG=true

Testing

  • 29/29 config unit tests pass
  • Updated test_settings_default_debug to assert False default
  • Existing test_request_id_middleware already handles both debug modes
  • No merge conflicts with main

…penAPI docs

Three related security fixes for information disclosure and XSS:

1. Changed debug default from True to False — production deployments
   no longer accidentally run with debug enabled (config.py:22)
2. HTML-escaped traceback.format_exc() before embedding in 500 response
   to prevent Reflected XSS via exception messages containing
   attacker-controlled content (main.py:293)
3. Gated /docs, /redoc, /openapi.json endpoints behind debug mode —
   API schema is no longer publicly exposed in production (main.py:171-173)

Resolves: utksh1#2022

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f94770a7fb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread backend/secuscan/main.py
@utksh1 utksh1 added level:intermediate 35 pts difficulty label for moderate contributor PRs type:security Security work category bonus label type:bug Bug fix work category bonus label area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests labels Jul 14, 2026

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The secure default is sensible, but this PR currently breaks the fresh-clone smoke check: start.sh starts the backend with debug disabled while CI polls /openapi.json, so the server is healthy but CI times out. Please update the development/startup path (or the health check) so it does not rely on a disabled documentation endpoint, and add focused tests for debug-on/debug-off docs and escaped traceback behavior.

@namann5

namann5 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

@utksh1 Changes are done

…ack tests

Address admin review feedback on PR utksh1#2024:

1. start.sh: Export SECUSCAN_DEBUG=true so the dev server exposes
   /docs, /redoc, and /openapi.json — fixing the fresh-clone smoke
   check that was timing out polling /openapi.json.

2. test_config_settings.py: Add focused tests for debug-on/debug-off
   behavior:
   - test_docs_disabled_when_debug_false: /docs returns 404 in prod
   - test_openapi_disabled_when_debug_false: /openapi.json returns 404
   - test_docs_enabled_when_debug_true: /docs works when debug on
   - test_traceback_not_leaked_in_production: exception messages don't
     leak in plain-text error responses
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests level:intermediate 35 pts difficulty label for moderate contributor PRs type:bug Bug fix work category bonus label type:security Security work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants