File tree 3 files changed +139
-0
lines changed
3 files changed +139
-0
lines changed Original file line number Diff line number Diff line change 1+ id : avoid-bind-to-all-interfaces-python
2+ severity : warning
3+ language : python
4+ message : >-
5+ Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly
6+ expose the server publicly as it binds to all available interfaces.
7+ Consider instead getting correct address from an environment variable or
8+ configuration file.
9+ note : >-
10+ [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
11+ [REFERENCES]
12+ - https://owasp.org/Top10/A01_2021-Broken_Access_Control
13+ utils :
14+ MATCH_PATTERN_$S.bind :
15+ kind : expression_statement
16+ all :
17+ - has :
18+ stopBy : neighbor
19+ kind : call
20+ all :
21+ - has :
22+ stopBy : neighbor
23+ kind : attribute
24+ all :
25+ - has :
26+ stopBy : neighbor
27+ kind : identifier
28+ - has :
29+ stopBy : neighbor
30+ kind : identifier
31+ regex : " ^bind$"
32+ - has :
33+ stopBy : neighbor
34+ kind : argument_list
35+ has :
36+ stopBy : neighbor
37+ kind : tuple
38+ has :
39+ stopBy : neighbor
40+ kind : string
41+ regex : ^'0.0.0.0'|'::'|''$
42+ - follows :
43+ stopBy : end
44+ kind : expression_statement
45+ has :
46+ stopBy : end
47+ kind : call
48+ has :
49+ stopBy : neighbor
50+ kind : attribute
51+ all :
52+ - has :
53+ stopBy : neighbor
54+ kind : identifier
55+ regex : " ^socket$"
56+ - has :
57+ stopBy : neighbor
58+ kind : identifier
59+ regex : " ^socket$"
60+
61+ rule :
62+ kind : expression_statement
63+ any :
64+ - matches : MATCH_PATTERN_$S.bind
Original file line number Diff line number Diff line change 1+ id : avoid-bind-to-all-interfaces-python
2+ snapshots :
3+ ? |
4+ s = socket.socket(doesnt, matter)
5+ s.bind(('',))
6+ s = socket.socket(doesnt, matter)
7+ s.bind(('::', 1337))
8+ s = socket.socket(doesnt, matter)
9+ s.bind(('0.0.0.0', 1337))
10+ : labels :
11+ - source : s.bind(('',))
12+ style : primary
13+ start : 34
14+ end : 47
15+ - source : s
16+ style : secondary
17+ start : 34
18+ end : 35
19+ - source : bind
20+ style : secondary
21+ start : 36
22+ end : 40
23+ - source : s.bind
24+ style : secondary
25+ start : 34
26+ end : 40
27+ - source : ' '''' '
28+ style : secondary
29+ start : 42
30+ end : 44
31+ - source : ('',)
32+ style : secondary
33+ start : 41
34+ end : 46
35+ - source : (('',))
36+ style : secondary
37+ start : 40
38+ end : 47
39+ - source : s.bind(('',))
40+ style : secondary
41+ start : 34
42+ end : 47
43+ - source : socket
44+ style : secondary
45+ start : 4
46+ end : 10
47+ - source : socket
48+ style : secondary
49+ start : 4
50+ end : 10
51+ - source : socket.socket
52+ style : secondary
53+ start : 4
54+ end : 17
55+ - source : socket.socket(doesnt, matter)
56+ style : secondary
57+ start : 4
58+ end : 33
59+ - source : s = socket.socket(doesnt, matter)
60+ style : secondary
61+ start : 0
62+ end : 33
Original file line number Diff line number Diff line change 1+ id : avoid-bind-to-all-interfaces-python
2+ valid :
3+ - |
4+ s = socket.socket(doesnt, matter)
5+ s.bind(('fe80::34cb:9850:4868:9d2c', 1337))
6+ invalid :
7+ - |
8+ s = socket.socket(doesnt, matter)
9+ s.bind(('',))
10+ s = socket.socket(doesnt, matter)
11+ s.bind(('::', 1337))
12+ s = socket.socket(doesnt, matter)
13+ s.bind(('0.0.0.0', 1337))
You can’t perform that action at this time.
0 commit comments