python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces
Community Favorite
semgrep
Author
71,865
Download Count*
License
Running socket.bind
to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-bind-to-all-interfaces
message: Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly
expose the server publicly as it binds to all available interfaces.
Consider instead getting correct address from an environment variable or
configuration file.
metadata:
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
category: security
technology:
- python
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- python
severity: INFO
pattern-either:
- pattern: |
$S = socket.socket(...)
...
$S.bind(("0.0.0.0", ...))
- pattern: |
$S = socket.socket(...)
...
$S.bind(("::", ...))
- pattern: |
$S = socket.socket(...)
...
$S.bind(("", ...))
Examples
bind.py
import socket
# ruleid:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('0.0.0.0', 1337))
# ruleid:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('::', 1337))
# ruleid:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('',))
# ok:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('8.8.8.8', 1337))
# ok:avoid-bind-to-all-interfaces
s = socket.socket(doesnt, matter)
s.bind(('fe80::34cb:9850:4868:9d2c', 1337))
Short Link: https://sg.run/rdln