socketserver — unrestricted bind

Binding to an Unrestricted IP Address in socketserver Module

Sockets can be bound to the IPv4 address 0.0.0.0 or IPv6 equivalent of ::, which configures the socket to listen for incoming connections on all network interfaces. While this can be intended in environments where services are meant to be publicly accessible, it can also introduce significant security risks if the service is not intended for public or wide network access.

Binding a socket to 0.0.0.0 or :: can unintentionally expose the application to the wider network or the internet, making it accessible from any interface. This exposure can lead to unauthorized access, data breaches, or exploitation of vulnerabilities within the application if the service is not adequately secured or if the binding is unintended. Restricting the socket to listen on specific interfaces limits the exposure and reduces the attack surface.

Example

import socketserver


class MyUDPHandler(socketserver.BaseRequestHandler):
    def handle(self):
        data = self.request[0].strip()
        socket = self.request[1]
        socket.sendto(data.upper(), self.client_address)


HOST, PORT = "0.0.0.0", 9999
with socketserver.UDPServer((HOST, PORT), MyUDPHandler) as server:
    server.serve_forever()

Example Output

> precli tests/unit/rules/python/stdlib/socketserver/examples/socketserver_udp_server.py
⚠️  Warning on line 12 in tests/unit/rules/python/stdlib/socketserver/examples/socketserver_udp_server.py
PY030: Binding to an Unrestricted IP Address
Binding to 'INADDR_ANY (0.0.0.0)' exposes the application on all network interfaces, increasing the risk of unauthorized access.

Remediation

All socket bindings MUST specify a specific network interface or localhost (127.0.0.1/localhost for IPv4, ::1 for IPv6) unless the application is explicitly designed to be accessible from any network interface. This practice ensures that services are not exposed more broadly than intended.

import socketserver


class MyUDPHandler(socketserver.BaseRequestHandler):
    def handle(self):
        data = self.request[0].strip()
        socket = self.request[1]
        socket.sendto(data.upper(), self.client_address)


HOST, PORT = "127.0.0.1", 9999
with socketserver.UDPServer((HOST, PORT), MyUDPHandler) as server:
    server.serve_forever()

Default Configuration

enabled = true
level = "warning"

See also

Info

• socketserver.TCPServer — A framework for network servers
• socketserver.UDPServer — A framework for network servers
• socketserver.ForkingTCPServer — A framework for network servers
• socketserver.ForkingUDPServer — A framework for network servers
• socketserver.ThreadingTCPServer — A framework for network servers
• socketserver.ThreadingUDPServer — A framework for network servers
• CWE-1327: Binding to an Unrestricted IP Address

New in version 0.3.14