Interlace ESLint
ESLint Interlace
Secure CodingRules

no-debug-code-in-production

Detects debug code that should not be present in production builds.

Keywords: console.log, DEBUG, DEV, CWE-489, leftover debug, production security

Detects debug code that should not be present in production builds.

⚠️ This rule errors by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-489 (Active Debug Code)
OWASP MobileM7: Client Code Quality
SeverityHigh
CategorySecurity

Rule Details

Debug code left in production can expose sensitive information, internal system details, or create attack vectors. This rule detects:

  • console.log() statements
  • DEBUG identifiers
  • __DEV__ React Native development flags

Examples

❌ Incorrect

// Console logging in production code
function processPayment(card) {
  console.log('Processing card:', card.number); // Exposes PII!
  return chargeCard(card);
}

// Debug flags left in code
if (DEBUG) {
  showInternalState();
}

// React Native dev flag
if (__DEV__) {
  enableDevTools();
}

✅ Correct

// Use proper logging service
import { logger } from './logger';

function processPayment(card) {
  logger.info('Processing payment', { cardLast4: card.number.slice(-4) });
  return chargeCard(card);
}

// Remove debug blocks entirely for production
// Or use build-time dead code elimination

// Conditional logging based on environment
if (process.env.NODE_ENV !== 'production') {
  console.log('Development only log');
}

Error Message Format

When triggered, this rule produces:

🔒 CWE-489 | Debug Code in Production detected - DEBUG, __DEV__, console | HIGH
   Fix: Review and apply secure practices | https://cwe.mitre.org/data/definitions/489.html

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Aliased Console

Why: Aliased console object not traced.

// ❌ NOT DETECTED - Aliased console
const log = console.log;
log('debug info');

Mitigation: Avoid aliasing console methods.

Custom Debug Functions

Why: Custom logging functions not recognized.

// ❌ NOT DETECTED - Custom debug function
function debug(msg) {
  console.log(msg);
}
debug('internal state');

Mitigation: Apply rule to debug function definitions.

Dynamic Method Names

Why: Dynamic property access not analyzed.

// ❌ NOT DETECTED - Dynamic method
const method = 'log';
console[method]('debug');

Mitigation: Avoid dynamic console access.

When Not To Use It

  • In development-only configuration files
  • In CLI tools where console output is expected
  • When using a logging library that conditionally strips debug logs

Further Reading

Category: Security
Type: Problem
Recommended: Yes

no-data-in-temp-storage

This rule security rule for mobile applications.

no-direct-llm-output-execution

Prevent direct execution of LLM-generated code without validation and sandboxing.

On this page

Quick SummaryRule DetailsExamples❌ Incorrect✅ CorrectError Message FormatKnown False NegativesAliased ConsoleCustom Debug FunctionsDynamic Method NamesWhen Not To Use ItFurther ReadingRelated Rules