From e9cac5f8eec86e5a1eeaf80fadcf4256afb63c77 Mon Sep 17 00:00:00 2001
From: ChinhLee <76194645+chinhkrb113@users.noreply.github.com>
Date: Thu, 2 Apr 2026 21:20:56 +0700
Subject: [PATCH] fix(security): flask debug mode enabled by default, exposed
 on 0.0.0.0

DEBUG defaults to True (FLASK_DEBUG env var is 'True' unless overridden) and the server binds to 0.0.0.0. When debug mode is active, Flask enables the Werkzeug interactive debugger, which allows arbitrary Python code execution via the browser-accessible debugger console if an exception is triggered. Combined with the public bind address this creates a remote code execution vector on any deployment that forgets to set FLASK_DEBUG=False.

Affected files: config.py

Signed-off-by: ChinhLee <76194645+chinhkrb113@users.noreply.github.com>
---
 backend/app/config.py | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/backend/app/config.py b/backend/app/config.py
index 953dfa50a2..f527f02853 100644
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -1,7 +1,4 @@
-"""
-配置管理
-统一从项目根目录的 .env 文件加载配置
-"""
+"""\n配置管理\n统一从项目根目录的 .env 文件加载配置\n"""
 
 import os
 from dotenv import load_dotenv
@@ -22,9 +19,9 @@ class Config:
     
     # Flask配置
     SECRET_KEY = os.environ.get('SECRET_KEY', 'mirofish-secret-key')
-    DEBUG = os.environ.get('FLASK_DEBUG', 'True').lower() == 'true'
+    DEBUG = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'
     
-    # JSON配置 - 禁用ASCII转义，让中文直接显示（而不是 \uXXXX 格式）
+    # JSON配置 - 禁用ASCII转义，让中文直接显示
     JSON_AS_ASCII = False
     
     # LLM配置（统一使用OpenAI格式）
@@ -71,5 +68,7 @@ def validate(cls):
             errors.append("LLM_API_KEY 未配置")
         if not cls.ZEP_API_KEY:
             errors.append("ZEP_API_KEY 未配置")
+        if cls.DEBUG:
+            import warnings
+            warnings.warn("Flask DEBUG mode is enabled. Do not use in production.", RuntimeWarning)
         return errors
-