From 1ecd9e83b8566c9028cec3d33097f157a2b3bde1 Mon Sep 17 00:00:00 2001 From: Taus Date: Thu, 26 Mar 2026 14:51:59 +0000 Subject: [PATCH] Python: Add test cases for BindToAllInterfaces FNs Adds test cases from github/codeql#21582 demonstrating false negatives: - Address stored in class attribute (`self.bind_addr`) - `os.environ.get` with insecure default value - `gevent.socket` (alternative socket module) --- .../CVE-2018-1281/BindToAllInterfaces_test.py | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py index 93ed0364a29..5a13aa9c4e3 100644 --- a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py +++ b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py @@ -24,3 +24,35 @@ s.bind(tup) # $ Alert[py/bind-socket-all-network-interfaces] # IPv6 s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) s.bind(("::", 8080)) # $ Alert[py/bind-socket-all-network-interfaces] + + +# FN cases from https://github.com/github/codeql/issues/21582 + +# Address stored in a class attribute +class Server: + def __init__(self): + self.bind_addr = '0.0.0.0' + self.port = 31137 + + def start(self): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((self.bind_addr, self.port)) # $ MISSING: Alert[py/bind-socket-all-network-interfaces] + +server = Server() +server.start() + +# os.environ.get with insecure default +import os +host = os.environ.get('APP_HOST', '0.0.0.0') +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.bind((host, 8080)) # $ MISSING: Alert[py/bind-socket-all-network-interfaces] + +# gevent.socket (alternative socket module) +from gevent import socket as gsocket +gs = gsocket.socket(gsocket.AF_INET, gsocket.SOCK_STREAM) +gs.bind(('0.0.0.0', 31137)) # $ MISSING: Alert[py/bind-socket-all-network-interfaces] + +# eventlet.green.socket (another alternative socket module) +from eventlet.green import socket as esocket +es = esocket.socket(esocket.AF_INET, esocket.SOCK_STREAM) +es.bind(('0.0.0.0', 31137)) # $ MISSING: Alert[py/bind-socket-all-network-interfaces]