Active debug code (pprof enabled)
Description
Go has a built in profiling service that is enabled by starting an HTTP server with `net/http/pprof` imported. The `/debug/pprof` endpoint does not require any authentication and can be accessed by anonymous users. This profiling endpoint can leak sensitive information and should not be enabled in production.
Examples
Insecure Code
go
import (
"net/http"
"net/http/pprof"
)
http.ListenAndServe(":8080", nil)Secure Code
go
import (
"net/http"
)
http.ListenAndServe(":8080", nil)Remediation
Remove the `net/http/pprof` import from the file.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0791 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-489 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | debug, profiling |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |