CWE-489¶
Active Debug Code. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]
Required inputs: IR
Demonstrative Examples
Example 1
Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:
Example Language:HTML (Unsupported language for documentation only)
<FORM ACTION="/authenticate_login.cgi">
<INPUT TYPE=TEXT name=username>
<INPUT TYPE=PASSWORD name=password>
<INPUT TYPE=SUBMIT>
</FORM>
Then a conforming link will look like:
(informative)
http://TARGET/authenticate_login.cgi?username=...&password=...
An attacker can change this to:
(attack code)
http://TARGET/authenticate_login.cgi?username=&password=&debug=1
Which will grant the attacker access to the site, bypassing the authentication process.
Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
debug_macro_use |
Defined debug macro must not be used. |
None |
False |
Options¶
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
macros¶
macros : set[bauhaus.analysis.config.MacroName] = {'DEBUG', '_DEBUG', '__DEBUG'}
only_report_defined_uses¶
only_report_defined_uses : bool = True