fix: disable Flask debug entrypoints

[ZacharyZhang-NY]

Summary

• Disable Flask debug mode in the four public service entrypoints listed under Bug: keeper_explorer and contributor_registry run Flask in debug=True — enables RCE #5059.
• Keep the faucet --debug flag as a deprecated compatibility no-op and force Flask debug mode off after config loading.
• Update faucet docs so they no longer recommend starting the service with Flask debug mode.
• Add a static regression test that fails if these entrypoints reintroduce debug=True or assign debug config to True.

Covered entrypoints

• keeper_explorer.py
• contributor_registry.py
• bridge/bridge_api.py
• faucet_service/faucet_service.py

Tests

• rg -n "debug\\s*=\\s*True|\\['debug'\\]\\s*=\\s*True" keeper_explorer.py contributor_registry.py bridge/bridge_api.py faucet_service/faucet_service.py -> no matches
• git diff --check -- keeper_explorer.py contributor_registry.py bridge/bridge_api.py faucet_service/faucet_service.py faucet_service/README.md faucet_service/IMPLEMENTATION_SUMMARY.md tests/test_flask_debug_disabled.py
• python -B -m py_compile keeper_explorer.py contributor_registry.py bridge/bridge_api.py faucet_service/faucet_service.py tests/test_flask_debug_disabled.py
• python -B -m pytest -q tests/test_flask_debug_disabled.py --noconftest -> 1 passed
• python tools\bcos_spdx_check.py --base-ref origin/main -> BCOS SPDX check: OK

Note: py_compile still emits the existing keeper_explorer.py invalid escape SyntaxWarning from the unchanged HTML banner; the command exits 0.

Fixes #5059

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Non-doc PRs have a BCOS-L1 or BCOS-L2 label
• Doc-only PRs are exempt from BCOS tier labels when they only touch docs/**, *.md, or common image/PDF files
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[BossChaos]

Code Review

Reviewed fix: disable Flask debug entrypoints by @ZacharyZhang-NY.

This is a bug fix. The changes appear reasonable based on the diff.

Wallet: 0xdaE5d307339074A24F579dB48e7c639359D94904

[HCIE2054]

LGTM!

[2balmprune]

Reviewed head 1d9e47f895f1a1d04477473bde1f9ee3a1559533 for the Flask debug-mode hardening.\n\nThe change disables debug mode at all four listed public entrypoints, preserves the faucet CLI flag as a compatibility no-op, updates the faucet docs so they no longer recommend debug startup, and adds a focused AST regression test for debug=True / debug-config assignments in those entrypoints. I also checked the faucet path where config is loaded from file or CLI: config['server']['debug'] = False is applied after overrides and before app.run(..., debug=debug), so a local config or deprecated --debug flag does not re-enable Flask debug mode.\n\nValidation performed:\n- git diff --check origin/main...review-pr-5531 -- keeper_explorer.py contributor_registry.py bridge/bridge_api.py faucet_service/faucet_service.py faucet_service/README.md faucet_service/IMPLEMENTATION_SUMMARY.md tests/test_flask_debug_disabled.py\n- python -B -m py_compile keeper_explorer.py contributor_registry.py bridge/bridge_api.py faucet_service/faucet_service.py tests/test_flask_debug_disabled.py\n- Imported tests/test_flask_debug_disabled.py and executed test_public_flask_entrypoints_do_not_enable_debug_mode() directly, since pytest was not installed in this local interpreter.\n\nNo blocker found. Approved.

[Auren-Innovation]

🔒 Code Review: PR #5531 - Disable Flask Debug Mode in Production Entrypoints

📋 Summary

This PR disables Flask debug mode across 4 public service entrypoints, fixing a critical security issue (#5059). Debug mode in production can expose sensitive information, enable code execution, and cause performance issues.

✅ Strengths

1. Critical Security Fix: Disables debug mode in all 4 public entrypoints:

   • keeper_explorer.py
   • contributor_registry.py
   • bridge/bridge_api.py
   • faucet_service/faucet_service.py

2. Comprehensive Documentation Updates:

   • Updated README.md to remove debug mode recommendations
   • Updated IMPLEMENTATION_SUMMARY.md
   • Added clear warnings about debug mode staying disabled

3. Excellent Regression Testing:

   • Added test_flask_debug_disabled.py with static analysis
   • Uses AST parsing to detect any reintroduction of debug=True
   • Test will fail if debug mode is accidentally re-enabled

4. Backward Compatibility:

   • Keeps --debug flag as deprecated no-op
   • Prevents breaking existing scripts while forcing debug off

💡 Suggestions for Improvement

1. Security Monitoring (Optional):

   • Consider adding a startup log message: "Flask debug mode is disabled for security"
   • This makes it explicit in logs that security settings are active

2. Configuration Validation (Low Priority):

   • Could add a check at startup to verify no environment variables override debug setting
   • Example: if os.environ.get('FLASK_DEBUG'): logging.warning("FLASK_DEBUG env var ignored for security")

🎯 Security Assessment

• Vulnerability Type: Information disclosure, potential code execution
• Severity: High (debug mode in production is critical)
• Fix Quality: ✅ Excellent - comprehensive across all entrypoints
• Test Coverage: ✅ Excellent - static analysis prevents regression

📊 Review Details

• Files Changed: 7 (4 source, 2 docs, 1 test)
• Lines Changed: +62, -23
• Complexity: Medium
• Risk Level: Low (security improvement)

🏆 Overall Assessment

Quality: Security-focused review
Recommended Reward: 20-25 RTC (Security bonus eligible)

Why Security Bonus?

• Fixes critical production security misconfiguration
• Prevents information disclosure and potential RCE
• Includes regression test to prevent future issues
• Covers multiple service entrypoints

✅ Verdict

APPROVE - This is an essential security fix. Flask debug mode should NEVER be enabled in production. The implementation is thorough, well-tested, and includes documentation updates.

---

Review #2 completed by Herr Amano for Rustchain Bounties Program

[kekehanshujun]

I reviewed head 1d9e47f895f1a1d04477473bde1f9ee3a1559533.

The patch disables Flask debug mode in the four public service entrypoints listed in the PR, keeps the faucet --debug flag as a compatibility no-op, and updates the faucet docs so they no longer recommend starting the public service with Flask debug enabled. The added AST regression test is focused on the right failure mode: it catches both direct app.run(..., debug=True) usage and assignments that set a debug config key to True.

Validation run in a clean temporary worktree based on origin/main with the PR patch applied:

git diff --check --cached
passed

python -B -m py_compile keeper_explorer.py contributor_registry.py bridge/bridge_api.py faucet_service/faucet_service.py tests/test_flask_debug_disabled.py
passed

python -B -m pytest -q tests/test_flask_debug_disabled.py --noconftest
1 passed, 1 warning

python tools/bcos_spdx_check.py --base-ref origin/main
BCOS SPDX check: OK

The pytest warning is the existing keeper_explorer.py invalid escape warning from the unchanged HTML banner. I did not find a blocker.

[jaxint]

LGTM! Thanks for contributing. Approved.

[TJCurnutte]

Reviewed the Flask debug hardening path and this looks mergeable to me.

What I validated:

git diff --check origin/main...HEAD -- bridge/bridge_api.py contributor_registry.py faucet_service/IMPLEMENTATION_SUMMARY.md faucet_service/README.md faucet_service/faucet_service.py keeper_explorer.py tests/test_flask_debug_disabled.py
python3 -B -m py_compile bridge/bridge_api.py contributor_registry.py faucet_service/faucet_service.py keeper_explorer.py tests/test_flask_debug_disabled.py
PYTHONPATH=. uv run --no-project --with pytest --with flask --with pyyaml python -B -m pytest -q tests/test_flask_debug_disabled.py --noconftest

Proof from the disposable worktree at head 1d9e47f895f1a1d04477473bde1f9ee3a1559533:

• git diff --check passed for the changed files.
• py_compile passed for the changed Python entrypoints and the new regression test.
• Focused pytest passed: 1 passed, 1 warning in 0.05s.
• The extra AST/source probe returned debug_true_locations [] and confirmed the faucet --debug flag is now documented as deprecated while config['server']['debug'] = False is forced before startup.

Reasoning: the public app.run(..., debug=True) entrypoints in bridge_api.py, contributor_registry.py, and keeper_explorer.py are now hard-disabled, and the faucet CLI/config path no longer allows a command-line debug override to put Flask back into debugger mode. The regression test is narrow but useful: it will catch reintroducing literal debug=True calls or direct debug-config True assignments in the listed public entrypoints.

Approved.

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[508704820]

Disable Flask debug entrypoints. CRITICAL security fix - Flask debug mode exposes interactive Python console and Werkzeug debugger, allowing RCE. Verify: (1) Debug mode is disabled in ALL environments, not just production. (2) No other debug endpoints remain enabled. (3) Consider adding a CI check that asserts DEBUG=False in all config files. - Xeophon (security review)

[HCIE2054]

LGTM!

[508704820]

Security Review ✅ CRITICAL FIX

Disabling Flask debug=True across all entry points. Debug mode enables the Werkzeug interactive debugger, which allows arbitrary code execution via the browser. This is a well-known RCE vector in production.

Changes cover 5 files: bridge_api.py, contributor_registry.py, faucet_service.py, keeper_explorer.py, and removes --debug CLI flag. Test uses AST analysis to verify no debug=True remains.

Reviewed by Xeophon - Solana: Lt9nERv6VHsojw15LpFeiaabuphAggzfLF9sM9UXRrZ

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[kekehanshujun]

Reviewing this as part of the RustChain code review bounty.

This PR is incomplete for #4810. The issue lists several public Flask entrypoints with debug=True, but the patch only changes bridge/bridge_api.py, contributor_registry.py, keeper_explorer.py, and the faucet service docs/config path.

Two affected files from the report are still not covered by the new AST regression list and remain vulnerable on current main: explorer/app.py and security_test_payment_widget.py. Both have app.run(... host='0.0.0.0' ..., debug=True) patterns and should either be fixed in this PR or the PR body should narrow the scope so it does not claim to resolve #4810.

Please add those entrypoints to ENTRYPOINTS and disable their hard-coded debug mode as well; otherwise the regression test can pass while part of the reported security surface remains open.

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[2balmprune]

Follow-up after the later scope review: my earlier approval validated the entrypoints and regression coverage touched by this PR, but I agree that if the PR is meant to fully resolve issue #4810 then the remaining reported Flask debug entrypoints (explorer/app.py and security_test_payment_widget.py) should also be fixed, or the PR body should narrow the claimed scope. I am leaving my focused validation intact, but the broader issue-resolution blocker is real until that scope is addressed.

[HCIE2054]

LGTM!

[jaxint]

LGTM! Great work on this PR. 🚀

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[Scottcjn]

Duplicate of #5488 by @rogierx (same bridge/bridge_api.py:662 debug=False change). Codex batch 2 Q5.