Hi,
I received a security review report for Doctor from Luke Hinds today. It makes sense and we can change the Flask option easily, although we have to figure out the way to enhance the sample inspector and monitor in doctor tree. --------------------------------------------------------------------------- Author: Luke Hinds <lhi...@redhat.com> [Threat Review Summary] Doctor is fault management and maintenance project to develop and realize the consequent implementation for the OPNFV reference platform. Security posture of Doctor is very good. Overall findings are to insure Flask does not run in debug mode outside of development environments. [Secure Code Finding] flask_debug_true: A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code. Severity: HIGH File: doctor/tests/consumer.py 37 args = get_args() 38 app.run(host="0.0.0.0", port=args.port, debug=True) File: doctor/tests/inspector.py 75 args = get_args() 76 app.run(port=args.port, debug=True) More info: http://docs.openstack.org/developer/bandit/plugins/flask_debug_true.html Auditor Note: Please insure that debug is set to False, before running in production. --------------------------------------------------------------------------- BR, Ryota _______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
