gitlab.bandit.B104

385
Download Count*
MIT
License

Running socket.bind to 0.0.0.0, ::, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: bandit.B104
    patterns:
      - pattern-either:
          - pattern: |
              $S = socket.socket(...)
              ...
              $S.bind(("0.0.0.0", ...))
          - pattern: |
              $S = socket.socket(...)
              ...
              $S.bind(("::", ...))
          - pattern: |
              $S = socket.socket(...)
              ...
              $S.bind(("", ...))
    message: >
      Running `socket.bind` to 0.0.0.0, ::, or empty string could unexpectedly

      expose the server publicly as it binds to all available interfaces. Consider

      instead getting correct address from an environment variable or

      configuration file.
    metadata:
      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      owasp: "A6: Security Misconfiguration"
      primary_identifier: bandit.B104
      secondary_identifiers:
        - name: Bandit Test ID B104
          type: bandit_test_id
          value: B104
      license: MIT
    severity: INFO
    languages:
      - python