python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces

Community Favorite
profile photo of returntocorpreturntocorp
Author
71,865
Download Count*

Running socket.bind to 0.0.0.0, ::, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-bind-to-all-interfaces
    message: Running `socket.bind` to 0.0.0.0, ::, or empty string could
      unexpectedly expose the server publicly as it binds to all available
      interfaces. Consider instead getting correct address from an environment
      variable or configuration file.
    metadata:
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      owasp:
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - python
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: INFO
    pattern-either:
      - pattern: |
          $S = socket.socket(...)
          ...
          $S.bind(("0.0.0.0", ...))
      - pattern: |
          $S = socket.socket(...)
          ...
          $S.bind(("::", ...))
      - pattern: |
          $S = socket.socket(...)
          ...
          $S.bind(("", ...))

Examples

bind.py

import socket

# ruleid:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('0.0.0.0', 1337))

# ruleid:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('::', 1337))

# ruleid:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('',))

# ok:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('8.8.8.8', 1337))

# ok:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('fe80::34cb:9850:4868:9d2c', 1337))