fix: disable public Flask debug defaults#5474
Conversation
|
Welcome to RustChain! Thanks for your first pull request. Before we review, please make sure:
Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150) A maintainer will review your PR soon. Thanks for contributing! |
github-actions
Bot
added
BCOS-L1
ZacharyZhang-NY
left a comment
ZacharyZhang-NY
left a comment
There was a problem hiding this comment.
Validation performed on Windows Python 3.12:
python -m py_compile bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.pypassed. Existingkeeper_explorer.pyemitted the current invalid-escape SyntaxWarning, but compilation completed.python -m pytest tests/test_public_flask_debug_defaults.py -qpassed with1 passed, 1 warning in 0.07s.git diff --check origin/main...HEADpassed.- Static scan confirmed the affected public entrypoints now pass env-controlled debug values instead of literal
debug=Trueon0.0.0.0binds.
The change matches #4810's intent: debug mode is off by default for public-facing helper services, while local development can opt in per service through explicit environment flags. I did not find a blocking issue.
kekehanshujun
left a comment
kekehanshujun
left a comment
There was a problem hiding this comment.
LGTM. I verified the public Flask entrypoints covered by #4810 no longer pass a literal debug=True for 0.0.0.0 binds, and the new AST regression test catches that pattern.
Validation run on the PR diff:
python -m py_compile bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.pypython -m pytest tests/test_public_flask_debug_defaults.py -q --tb=short-> 1 passed, with the existingkeeper_explorer.pyinvalid-escape warninggit diff --check -- bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.py
No blocking issues found.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
TJCurnutte
left a comment
TJCurnutte
left a comment
There was a problem hiding this comment.
Approved. I focused on the public Flask entrypoint debug defaults and the regression test that prevents reintroducing debug=True on 0.0.0.0 servers.
Validation I ran against head 92e7c9ed94e3ad9b4b9e41e05715f3f0a07da760:
git diff --check origin/main...HEAD -- bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.py
python3 -B -m py_compile bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.py
uv run --no-project --with pytest python -B -m pytest -q tests/test_public_flask_debug_defaults.py --noconftestThe focused pytest passed with 1 passed, 1 warning in 0.04s (keeper_explorer.py already has an invalid-escape deprecation warning unrelated to this change).
I also ran an AST probe over the modified entrypoints and confirmed the app.run(..., debug=...) arguments now route through opt-in helpers instead of a literal True: bridge/bridge_api.py uses _debug_enabled(), and contributor_registry.py, explorer/app.py, keeper_explorer.py, and security_test_payment_widget.py use debug_enabled().
That preserves a deliberate local-debug escape hatch through environment variables while making the public/default launch path fail closed.
ZacharyZhang-NY
left a comment
ZacharyZhang-NY
left a comment
There was a problem hiding this comment.
Reviewed PR #5474 at head 92e7c9e.
Validation performed:
- Checked issue #4810. The scoped security bug is public Flask entrypoints binding to
0.0.0.0while hard-codingdebug=Trueby default. - git fetch origin pull/5474/head:review-pr-5474 --force
- git diff --check origin/main...review-pr-5474 -- bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.py -> passed.
- python -m py_compile bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.py on an extracted PR-head tree -> passed.
- python -m pytest tests/test_public_flask_debug_defaults.py -q --confcutdir= -> 1 passed.
- Probed the five new debug helpers with lightweight dependency stubs: BRIDGE_API_DEBUG, CONTRIBUTOR_REGISTRY_DEBUG, RUSTCHAIN_EXPLORER_DEBUG, KEEPER_EXPLORER_DEBUG, and SECURITY_TEST_WIDGET_DEBUG all default to False and return True for
true.
The public Flask entrypoints now require explicit per-service env opt-in for debug mode, and the AST regression covers the listed public binds. Approving.
Code Review — Bounty #73PR: fix: disable public Flask debug defaults by @RYB-404
SummaryThis is a bug fix PR. Changes appear consistent with project patterns. Wallet: Reviewing under Bounty #73 — Code Review Bounty Program |
508704820
left a comment
508704820
left a comment
There was a problem hiding this comment.
Disable public Flask debug defaults. CRITICAL - public debug defaults expose interactive debugger and source code. This is the second Flask debug fix (also #5531). Verify ALL Flask app instances have debug disabled, not just the main one. Consider adding a CI assertion. - Xeophon (security review)
508704820
left a comment
508704820
left a comment
There was a problem hiding this comment.
Flask debug defaults fix. SECURITY: Critical hardening — debug=True on 0.0.0.0 exposes Werkzeug debugger, allows arbitrary code execution. The AST regression test is excellent prevention. Reviewed by: Xeophon (security specialist). Recommendation: MERGE — this is a real attack vector.
|
Security Review ✅ Flask debug mode gated behind explicit per-service env flags instead of defaulting to Werkzeug debug on 0.0.0.0. AST regression test ensures no hardcoded debug defaults. Same class as #5531 and #5488 but covers remaining services. Reviewed by Xeophon - Solana: Lt9nERv6VHsojw15LpFeiaabuphAggzfLF9sM9UXRrZ |
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Great work on this PR. 🚀
…g-4810 # Conflicts: # bridge/bridge_api.py # explorer/app.py
PR Review — PR #5474Title: fix: disable public Flask debug defaults Author: RYB-404 What I reviewed
Observations
LGTM pending CI. Better approach than PR #5561 — the environment variable pattern allows controlled debug access without hardcoded defaults. Bounty: #2782 |
10 participants
Summary
main; the earlier linked PR fix: disable public flask debug by default #4926 is closed/unmerged and the hardcoded debug defaults are still present.0.0.0.0.debug=Truecannot be reintroduced for public binds.Changed entrypoints
bridge/bridge_api.py->BRIDGE_API_DEBUGcontributor_registry.py->CONTRIBUTOR_REGISTRY_DEBUGexplorer/app.py->RUSTCHAIN_EXPLORER_DEBUGkeeper_explorer.py->KEEPER_EXPLORER_DEBUGsecurity_test_payment_widget.py->SECURITY_TEST_WIDGET_DEBUGValidation
python -m py_compile bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.pyuv run --no-project --with pytest --with flask --with flask-cors --with requests python -m pytest tests/test_public_flask_debug_defaults.py -q-> 1 passedPayout address can be provided if/when this is accepted for the RTC bounty.