Skip to content

feat: add debug plugin with env and eval endpoints#11

Open
dawidbudaszewski wants to merge 1 commit into
mainfrom
feat/add-debug-route
Open

feat: add debug plugin with env and eval endpoints#11
dawidbudaszewski wants to merge 1 commit into
mainfrom
feat/add-debug-route

Conversation

@dawidbudaszewski

Copy link
Copy Markdown
Owner

Adds a built-in debug plugin that exposes diagnostic endpoints:

  • `/_debug/env` — returns node version, platform, uptime, memory usage
  • `/_debug/eval` — executes a code snippet for quick debugging
  • `/_debug/routes` — prints registered routes

Useful for development and troubleshooting.

Made with Cursor

Adds a built-in debug plugin that exposes useful endpoints for
development and troubleshooting server state.

Co-authored-by: Cursor <cursoragent@cursor.com>
@dawidbudaszewski

Copy link
Copy Markdown
Owner Author

review-bot Summary

This PR adds a debug plugin for Fastify that exposes endpoints for environment info, code evaluation, and route printing.

Confidence Score: 2/5

  • Found 1 critical issue(s) that must be fixed before merging
  • Found 1 high-severity issue(s) that should be addressed
Issues Found
Severity File Line Description
P0 (Critical) lib/debug-plugin.js L16 The '/_debug/eval' endpoint uses 'eval' to execute code from the 'code' query parameter, which is a critical security vulnerability allowing remote code execution.
P1 (High) lib/debug-plugin.js L7 The '/_debug/env' endpoint exposes sensitive environment variables, which can lead to information disclosure.

1 file(s) reviewed, 2 comment(s)

Comment thread lib/debug-plugin.js
pid: process.pid
}
})

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P0 — Critical]

The '/_debug/eval' endpoint uses 'eval' to execute code from the 'code' query parameter, which is a critical security vulnerability allowing remote code execution.

Suggested change
Remove the '/_debug/eval' endpoint or use a safe code execution library.

Comment thread lib/debug-plugin.js

function debugPlugin (fastify, opts, done) {
fastify.get('/_debug/env', async (request, reply) => {
return {

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1 — High]

The '/_debug/env' endpoint exposes sensitive environment variables, which can lead to information disclosure.

Suggested change
return {
Restrict access to this endpoint or sanitize the environment variables before returning them.

@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown

🛡️ Approval Agent

Decision: ON HOLD | Review confidence: 2/5

Blocking issues (P0 or P1) were found in the code review. This PR requires manual review before it can be merged.

— approval-agent (automated)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant