Audit: Binding to all interfaces detected with hardcoded values BAN-B104
Possible binding to all interfaces.
18DEFAULT_WEB_BASE_URL = 'https://app.jetadmin.io'
19DEFAULT_API_BASE_URL = 'https://api.jetadmin.io/api'
20
21define('address', default='0.0.0.0', help='server address') 22define('port', default=8888, help='server port', type=int)
23define('ssl_cert', help='SSL certificate file path', type=str, default=None)
24define('ssl_key', help='SSL private key file path', type=str, default=None)Possible binding to all interfaces.
39
40 ssl = settings.SSL_CERT or settings.SSL_KEY
41
42 address = 'localhost' if settings.ADDRESS == '0.0.0.0' else settings.ADDRESS43 protocol = 'https' if ssl else 'http'
44 url = '{}://{}:{}/'.format(protocol, address, settings.PORT)
45 api_url = '{}api/'.format(url)Possible binding to all interfaces.
114
115 print_formatted_text('')
116 else:
117 address = settings.ADDRESS or '0.0.0.0'118
119 port = prompt(
120 promt_message('<green><b>Which port to run Jet Bridge on?</b></green>\n<i>Default is {}</i>'.format('8888')),Possible binding to all interfaces.
109 if 'address' not in settings.USE_DEFAULT_CONFIG:
110 address = prompt(
111 promt_message('<green><b>Which host to run Jet Bridge on?</b></green>\n<i>Default is {}</i>'.format('0.0.0.0 (any IP)')),
112 default=settings.ADDRESS or '0.0.0.0'113 )
114
115 print_formatted_text('')
Description
Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. This can be prevented by changing the code so it explicitly only allows access from localhost.
When binding to 0.0.0.0, you accept incoming connections from anywhere. During development, an application may have security vulnerabilities making it susceptible to SQL injections and other attacks. Therefore when the application is not ready for production, accepting connections from anywhere can be dangerous.
It is recommended to use 127.0.0.1 or local host during development phase. This prevents others from targeting your application and executing SQL injections against your project.
Bad practice
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0, 31137)) # Binding to all interfaces
Recommended
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 31137)) # Binding to local host
```
References:
- OWASP Top 10 2021 Category A05 - Security Misconfiguration