From 187f7c7bcf95097648230c34a7cf7d857dc0aeea Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 27 Mar 2026 22:44:39 +0000
Subject: [PATCH] Python: Move isNetworkBind check into isSink

---
 .../CVE-2018-1281/BindToAllInterfaces.ql      | 20 ++++++-------------
 .../BindToAllInterfaces.expected              |  1 -
 2 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
index 75c145ec0ac..14c17edc359 100644
--- a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
+++ b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
@@ -34,7 +34,11 @@ private module BindToAllInterfacesConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) {
-    ModelOutput::sinkNode(sink, "bind-socket-all-interfaces")
+    ModelOutput::sinkNode(sink, "bind-socket-all-interfaces") and
+    // Network socket addresses are tuples like (host, port), so we require
+    // the bind() argument to originate from a tuple expression. This excludes
+    // AF_UNIX sockets, which pass a plain string path to bind().
+    any(DataFlow::LocalSourceNode n | n.asExpr() instanceof Tuple).flowsTo(sink)
   }
 }
 
@@ -42,20 +46,8 @@ private module BindToAllInterfacesFlow = TaintTracking::Global<BindToAllInterfac
 
 private import BindToAllInterfacesFlow
 
-/**
- * Holds if `sink` is the address argument of a `bind()` call on a
- * network socket (AF_INET or AF_INET6), as opposed to a Unix domain
- * socket (AF_UNIX) which takes a plain string path.
- *
- * Network socket addresses are tuples like `(host, port)`, so we check
- * that the sink argument is a tuple, by looking for flow from a tuple expression.
- */
-private predicate isNetworkBind(DataFlow::Node sink) {
-  any(DataFlow::LocalSourceNode n | n.asExpr() instanceof Tuple).flowsTo(sink)
-}
-
 from PathNode source, PathNode sink
-where flowPath(source, sink) and isNetworkBind(sink.getNode())
+where flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Binding a socket to all interfaces (using $@) is a security risk.", source.getNode(),
   "'" + source.getNode().asExpr().(StringLiteral).getText() + "'"
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
index aeee4941f07..0b96b2df650 100644
--- a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
+++ b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
@@ -60,5 +60,4 @@ nodes
 | BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
 | BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
 | BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
-| BindToAllInterfaces_test.py:62:9:62:10 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
 subpaths