Skip to content

Commit 2b863ae

Browse files
ESS-ENNESS-ENN
authored
avoid_app_run_with_bad_host-python (#38)
1 parent 3592c52 commit 2b863ae

File tree

3 files changed

+123
-0
lines changed

3 files changed

+123
-0
lines changed

rules/python/security/avoid_app_run_with_bad_host-python.yml

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
id: avoid_app_run_with_bad_host-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
Running flask app with host 0.0.0.0 could expose the server publicly.
6+
note: >-
7+
[CWE-668]: Exposure of Resource to Wrong Sphere
8+
[OWASP A01:2021]: Broken Access Control
9+
[REFERENCES]
10+
https://owasp.org/Top10/A01_2021-Broken_Access_Control
11+
utils:
12+
MATCH_PATTERN_app.run:
13+
kind: call
14+
all:
15+
- has:
16+
stopBy: neighbor
17+
kind: attribute
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: identifier
22+
regex: "^app$"
23+
- has:
24+
stopBy: neighbor
25+
kind: identifier
26+
regex: "^run$"
27+
- has:
28+
stopBy: neighbor
29+
kind: argument_list
30+
has:
31+
stopBy: neighbor
32+
kind: string
33+
regex: ^"0.0.0.0"$
34+
35+
MATCH_PATTERN_app.run_HOST:
36+
kind: call
37+
all:
38+
- has:
39+
stopBy: neighbor
40+
kind: attribute
41+
all:
42+
- has:
43+
stopBy: neighbor
44+
kind: identifier
45+
regex: "^app$"
46+
- has:
47+
stopBy: neighbor
48+
kind: identifier
49+
regex: "^run$"
50+
- has:
51+
stopBy: neighbor
52+
kind: argument_list
53+
has:
54+
stopBy: neighbor
55+
kind: keyword_argument
56+
all:
57+
- has:
58+
stopBy: neighbor
59+
kind: identifier
60+
regex: "^host$"
61+
- has:
62+
stopBy: neighbor
63+
kind: string
64+
regex: ^"0.0.0.0"$
65+
- has:
66+
stopBy: neighbor
67+
regex: "^=$"
68+
69+
rule:
70+
kind: call
71+
any:
72+
- matches: MATCH_PATTERN_app.run
73+
- matches: MATCH_PATTERN_app.run_HOST

tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: avoid_app_run_with_bad_host-python
2+
snapshots:
3+
? |
4+
app.run(host="0.0.0.0")
5+
app.run("0.0.0.0")
6+
: labels:
7+
- source: app.run(host="0.0.0.0")
8+
style: primary
9+
start: 0
10+
end: 23
11+
- source: app
12+
style: secondary
13+
start: 0
14+
end: 3
15+
- source: run
16+
style: secondary
17+
start: 4
18+
end: 7
19+
- source: app.run
20+
style: secondary
21+
start: 0
22+
end: 7
23+
- source: host
24+
style: secondary
25+
start: 8
26+
end: 12
27+
- source: '"0.0.0.0"'
28+
style: secondary
29+
start: 13
30+
end: 22
31+
- source: =
32+
style: secondary
33+
start: 12
34+
end: 13
35+
- source: host="0.0.0.0"
36+
style: secondary
37+
start: 8
38+
end: 22
39+
- source: (host="0.0.0.0")
40+
style: secondary
41+
start: 7
42+
end: 23

tests/python/avoid_app_run_with_bad_host-python-test.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
id: avoid_app_run_with_bad_host-python
2+
valid:
3+
- |
4+
foo.run("0.0.0.0")
5+
invalid:
6+
- |
7+
app.run(host="0.0.0.0")
8+
app.run("0.0.0.0")

0 commit comments

Comments
 (0)