go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces
Community Favorite
returntocorpAuthor
72,039
Download Count*
License
Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-bind-to-all-interfaces
message: Detected a network listener listening on 0.0.0.0 or an empty
string. This could unexpectedly expose the server publicly as it binds to
all available interfaces. Instead, specify another IP address that is not
0.0.0.0 nor the empty string.
languages:
- go
severity: WARNING
metadata:
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
source-rule-url: https://github.com/securego/gosec
category: security
technology:
- go
confidence: HIGH
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
pattern-either:
- pattern: tls.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...)
- pattern: net.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...)
- pattern: tls.Listen($NETWORK, "=~/^:.*$/", ...)
- pattern: net.Listen($NETWORK, "=~/^:.*$/", ...)
Examples
bind_all.go
package main
import (
"log"
"net"
)
func bind_all() {
// ruleid: avoid-bind-to-all-interfaces
l, err := net.Listen("tcp", "0.0.0.0:2000")
if err != nil {
log.Fatal(err)
}
defer l.Close()
}
func bind_default() {
// ruleid: avoid-bind-to-all-interfaces
l, err := net.Listen("tcp", ":2000")
if err != nil {
log.Fatal(err)
}
defer l.Close()
}
func main() {
// ok: avoid-bind-to-all-interfaces
l, err := net.Listen("tcp", "192.168.1.101:2000")
if err != nil {
log.Fatal(err)
}
defer l.Close()
}
Short Link: https://sg.run/rdE0