python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host

Community Favorite

semgrep

Author

80,402

Download Count*

LGPL Commons Clause

License

Running flask app with host 0.0.0.0 could expose the server publicly.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: avoid_app_run_with_bad_host
    message: Running flask app with host 0.0.0.0 could expose the server publicly.
    metadata:
      cwe:
        - "CWE-668: Exposure of Resource to Wrong Sphere"
      owasp:
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - flask
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - python
    severity: WARNING
    pattern-either:
      - pattern: app.run(..., host="0.0.0.0", ...)
      - pattern: app.run(..., "0.0.0.0", ...)

Examples

app-run-param-config.py

#ruleid:avoid_app_run_with_bad_host
app.run(host="0.0.0.0")

#ruleid:avoid_app_run_with_bad_host
app.run("0.0.0.0")

# OK
foo.run("0.0.0.0")

Short Link: https://sg.run/eLby