Skip to main content

Debugging enabled in production

Need

Disabling debugging mode in production

Context

  • Usage of Scala for building scalable and high-performance applications
  • Usage of play.api for building web applications in the Play Framework
  • Usage of java.io.File for file input/output operations in Java
  • Usage of java.lang.ClassLoader for dynamically loading classes at runtime
  • Usage of play.api.Logger for logging in a Play Framework application
  • Usage of play.api.Application for managing and configuring Play Framework applications
  • Usage of play.api.Mode for managing the execution mode of a Play Framework application

Description

Non compliant code

import play.api._

val app = new Application(new File("."), this.getClass.getClassLoader, None, Mode.Dev)

Logger.configure(app.environment)

val debugMode = app.configuration.getBoolean("play.http.router.debug").getOrElse(false)

if(debugMode) {
Logger.info("Debug Mode is ON")
}

This Scala code snippet is creating a new Play application with debugging mode enabled.

The Application class from the play.api package is used to create a new application instance. The parameters provided to the Application constructor are the application path (current directory in this case), the class loader, the optional GlobalSettings, and the Mode.

The Mode.Dev parameter is used to set the application mode to development. This mode enables detailed error pages, evolutions and more.

After creating the application, the Logger is configured with the application environment.

Then, the application configuration is checked to see if the debug mode is on. This is done by calling app.configuration.getBoolean("play.http.router.debug"). This function call returns an Option[Boolean]. If the debug mode configuration is not set, the getOrElse function will return false.

If the debug mode is on, a log message "Debug Mode is ON" is printed.

This code is vulnerable because it leaves the debug mode on when it should be off in a production environment. Debug mode can provide valuable information to an attacker, such as the internal workings of the application, the structure of the underlying database, and even sensitive user data.

Steps

  • Disable debug mode in production environment
  • Remove or comment out the code that logs the 'Debug Mode is ON' message

Compliant code

import play.api._

val app = new Application(new File("."), this.getClass.getClassLoader, None, Mode.Prod)

Logger.configure(app.environment)

val debugMode = app.configuration.getBoolean("play.http.router.debug").getOrElse(false)

// if(debugMode) {
// Logger.info("Debug Mode is ON")
// }

The above code is a Scala backend application that uses the Play framework. The vulnerability in the original code was that the debug mode was enabled in the production environment. This could lead to an information leak when an error is generated.

The fix for this vulnerability is to disable the debug mode in the production environment. This is done by changing Mode.Dev to Mode.Prod when creating the new Application instance. This ensures that the application runs in production mode.

Additionally, the code that logs the 'Debug Mode is ON' message has been commented out. This is because such messages should not be logged in a production environment as they can provide useful information to an attacker.

By making these changes, the vulnerability has been fixed and the application is now more secure.

References