trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces
trailofbits
Author
unknown
Download Count*
License
Service port is exposed on all interfaces
Run Locally
Run in CI
Defintion
rules:
- id: port-all-interfaces
message: Service port is exposed on all interfaces
languages:
- yaml
severity: WARNING
metadata:
category: security
cwe: "CWE-1327: Binding to an Unrestricted IP Address"
subcategory:
- audit
technology:
- docker
- compose
confidence: LOW
likelihood: LOW
impact: LOW
references:
- https://docs.docker.com/compose/compose-file/compose-file-v3/#ports
license: AGPL-3.0 license
vulnerability_class:
- Other
patterns:
- pattern-inside: |
services:
...
- pattern: |
ports:
- ...
- "$PORT"
- ...
- focus-metavariable: $PORT
- metavariable-regex:
metavariable: $PORT
regex: ^(?!127.\d{1,3}.\d{1,3}.\d{1,3}:).+
Examples
port-all-interfaces.test.yaml
---
services:
web:
build: .
ports:
# ruleid: port-all-interfaces
- "3000"
# ruleid: port-all-interfaces
- "3000-3005"
# ruleid: port-all-interfaces
- "8000:8000"
# ruleid: port-all-interfaces
- "9090-9091:8080-8081"
# ruleid: port-all-interfaces
- "49100:22"
# ruleid: port-all-interfaces
- "8000-9000:80"
# ruleid: port-all-interfaces
- "6060:6060/udp"
# ok: port-all-interfaces
- "127.0.0.1:8001:8001"
# ok: port-all-interfaces
- "127.0.0.2:8001:8001"
# ok: port-all-interfaces
- "127.255.255.255:8001:8001"
# ok: port-all-interfaces
- "127.0.0.1:5000-5010:5000-5010"
redis:
image: "redis:alpine"
Short Link: https://sg.run/gxAyK