trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Service port is exposed on all interfaces

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: port-all-interfaces
    message: Service port is exposed on all interfaces
    languages:
      - yaml
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-1327: Binding to an Unrestricted IP Address"
      subcategory:
        - audit
      technology:
        - docker
        - compose
      confidence: LOW
      likelihood: LOW
      impact: LOW
      references:
        - https://docs.docker.com/compose/compose-file/compose-file-v3/#ports
      license: AGPL-3.0 license
      vulnerability_class:
        - Other
    patterns:
      - pattern-inside: |
          services:
            ...
      - pattern: |
          ports:
            - ...
            - "$PORT"
            - ...
      - focus-metavariable: $PORT
      - metavariable-regex:
          metavariable: $PORT
          regex: ^(?!127.\d{1,3}.\d{1,3}.\d{1,3}:).+

Examples

port-all-interfaces.test.yaml

---
services:
  web:
    build: .
    ports:
      # ruleid: port-all-interfaces
      - "3000"
      # ruleid: port-all-interfaces
      - "3000-3005"
      # ruleid: port-all-interfaces
      - "8000:8000"
      # ruleid: port-all-interfaces
      - "9090-9091:8080-8081"
      # ruleid: port-all-interfaces
      - "49100:22"
      # ruleid: port-all-interfaces
      - "8000-9000:80"
      # ruleid: port-all-interfaces
      - "6060:6060/udp"
      # ok: port-all-interfaces
      - "127.0.0.1:8001:8001"
      # ok: port-all-interfaces
      - "127.0.0.2:8001:8001"
      # ok: port-all-interfaces
      - "127.255.255.255:8001:8001"
      # ok: port-all-interfaces
      - "127.0.0.1:5000-5010:5000-5010"
  redis:
    image: "redis:alpine"