import socket # binds to all interfaces, insecure s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces] # binds to all interfaces, insecure s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 4040)) # $ Alert[py/bind-socket-all-network-interfaces] # binds only to a dedicated interface, secure s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('84.68.10.12', 8080)) # binds to all interfaces, insecure ALL_LOCALS = "0.0.0.0" # $ Source s.bind((ALL_LOCALS, 9090)) # $ Alert[py/bind-socket-all-network-interfaces] # binds to all interfaces, insecure tup = (ALL_LOCALS, 8080) s.bind(tup) # $ Alert[py/bind-socket-all-network-interfaces] # IPv6 s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) s.bind(("::", 8080)) # $ Alert[py/bind-socket-all-network-interfaces] # FN cases from https://github.com/github/codeql/issues/21582 # Address stored in a class attribute class Server: def __init__(self): self.bind_addr = '0.0.0.0' # $ Source self.port = 31137 def start(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((self.bind_addr, self.port)) # $ Alert[py/bind-socket-all-network-interfaces] server = Server() server.start() # os.environ.get with insecure default import os host = os.environ.get('APP_HOST', '0.0.0.0') # $ Source s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((host, 8080)) # $ Alert[py/bind-socket-all-network-interfaces] # gevent.socket (alternative socket module) from gevent import socket as gsocket gs = gsocket.socket(gsocket.AF_INET, gsocket.SOCK_STREAM) gs.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces] # eventlet.green.socket (another alternative socket module) from eventlet.green import socket as esocket es = esocket.socket(esocket.AF_INET, esocket.SOCK_STREAM) es.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces] # AF_UNIX socket binding should not be flagged us = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) us.bind('')