Binding a socket to all network interfaces¶
ID: py/bind-socket-all-network-interfaces Kind: problem Severity: error Precision: high Tags: - security - external/cwe/cwe-200 Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Sockets can be used to communicate with other machines on a network. You can use the (IP address, port) pair to define the access restrictions for the socket you create. When using the built-in Python
socket module (for instance, when building a message sender service or an FTP server data transmitter), one has to bind the port to some interface. When you bind the port to all interfaces using
0.0.0.0 as the IP address, you essentially allow it to accept connections from any IPv4 address provided that it can get to the socket via routing. Binding to all interfaces is therefore associated with security risks.
Bind your service incoming traffic only to a dedicated interface. If you need to bind more than one interface using the built-in
socket module, create multiple sockets (instead of binding to one socket to all interfaces).
In this example, two sockets are insecure because they are bound to all interfaces; one through the
0.0.0.0 notation and another one through an empty string
import socket # binds to all interfaces, insecure s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', 31137)) # binds to all interfaces, insecure s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 4040)) # binds only to a dedicated interface, secure s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('188.8.131.52', 8080))