go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces

Community Favorite
profile photo of semgrepsemgrep
Author
72,039
Download Count*

Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-bind-to-all-interfaces
    message: Detected a network listener listening on 0.0.0.0 or an empty string.
      This could unexpectedly expose the server publicly as it binds to all
      available interfaces. Instead, specify another IP address that is not
      0.0.0.0 nor the empty string.
    languages:
      - go
    severity: WARNING
    metadata:
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://github.com/securego/gosec
      category: security
      technology:
        - go
      confidence: HIGH
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    pattern-either:
      - pattern: tls.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...)
      - pattern: net.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...)
      - pattern: tls.Listen($NETWORK, "=~/^:.*$/", ...)
      - pattern: net.Listen($NETWORK, "=~/^:.*$/", ...)

Examples

bind_all.go

package main

import (
	"log"
	"net"
)

func bind_all() {
	// ruleid: avoid-bind-to-all-interfaces
	l, err := net.Listen("tcp", "0.0.0.0:2000")
	if err != nil {
		log.Fatal(err)
	}
	defer l.Close()
}

func bind_default() {
	// ruleid: avoid-bind-to-all-interfaces
	l, err := net.Listen("tcp", ":2000")
	if err != nil {
		log.Fatal(err)
	}
	defer l.Close()
}

func main() {
	// ok: avoid-bind-to-all-interfaces
	l, err := net.Listen("tcp", "192.168.1.101:2000")
	if err != nil {
		log.Fatal(err)
	}
	defer l.Close()
}