Binding to an Unrestricted IP Address in socket Module
Sockets can be bound to the IPv4 address 0.0.0.0 or IPv6 equivalent of
::, which configures the socket to listen for incoming connections on all
network interfaces. While this can be intended in environments where
services are meant to be publicly accessible, it can also introduce significant
security risks if the service is not intended for public or wide network
access.
Binding a socket to 0.0.0.0 or :: can unintentionally expose the
application to the wider network or the internet, making it accessible from
any interface. This exposure can lead to unauthorized access, data breaches,
or exploitation of vulnerabilities within the application if the service is
not adequately secured or if the binding is unintended. Restricting the socket
to listen on specific interfaces limits the exposure and reduces the attack
surface.
Example
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", 8080))
s.listen()
Remediation
All socket bindings MUST specify a specific network interface or localhost (127.0.0.1/localhost for IPv4, ::1 for IPv6) unless the application is explicitly designed to be accessible from any network interface. This practice ensures that services are not exposed more broadly than intended.
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("127.0.0.1", 8080))
s.listen()
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY029) or
rule category name (unrestricted_bind).
- Using rule ID
- Using category name
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# suppress: PY029
s.bind(("0.0.0.0", 8080))
s.listen()
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# suppress: unrestricted_bind
s.bind(("0.0.0.0", 8080))
s.listen()