Use of a Broken or Risky Cryptographic Algorithm in crypto Package
Sockets can be bound to the IPv4 address 0.0.0.0 or IPv6 equivalent of
[::], which configures the socket to listen for incoming connections on all
network interfaces. While this can be intended in environments where
services are meant to be publicly accessible, it can also introduce significant
security risks if the service is not intended for public or wide network
access.
Binding a socket to 0.0.0.0 or [::] can unintentionally expose the
application to the wider network or the internet, making it accessible from
any interface. This exposure can lead to unauthorized access, data breaches,
or exploitation of vulnerabilities within the application if the service is
not adequately secured or if the binding is unintended. Restricting the socket
to listen on specific interfaces limits the exposure and reduces the attack
surface.
Examples
package main
import (
"crypto/tls"
"log"
)
func main() {
cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
log.Fatalf("failed to load key pair: %v", err)
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
}
ln, err := tls.Listen("tcp", "0.0.0.0:8443", config)
if err != nil {
log.Fatalf("tls.Listen failed on %s: %v", addr, err)
}
defer ln.Close()
}
Remediation
All socket bindings MUST specify a specific network interface or localhost (127.0.0.1/localhost for IPv4, [::1] for IPv6) unless the application is explicitly designed to be accessible from any network interface. This practice ensures that services are not exposed more broadly than intended.
package main
import (
"crypto/tls"
"log"
)
func main() {
cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
log.Fatalf("failed to load key pair: %v", err)
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
}
ln, err := tls.Listen("tcp", "127.0.0.1:8443", config)
if err != nil {
log.Fatalf("tls.Listen failed on %s: %v", addr, err)
}
defer ln.Close()
}
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (GO005) or
rule category name (unrestricted_bind).
- Using rule ID
- Using category name
package main
import (
"crypto/tls"
"log"
)
func main() {
cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
log.Fatalf("failed to load key pair: %v", err)
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
}
// suppress: GO005
ln, err := tls.Listen("tcp", "0.0.0.0:8443", config)
if err != nil {
log.Fatalf("tls.Listen failed on %s: %v", addr, err)
}
defer ln.Close()
}
package main
import (
"crypto/tls"
"log"
)
func main() {
cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
log.Fatalf("failed to load key pair: %v", err)
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
}
// suppress: unrestricted_bind
ln, err := tls.Listen("tcp", "0.0.0.0:8443", config)
if err != nil {
log.Fatalf("tls.Listen failed on %s: %v", addr, err)
}
defer ln.Close()
}