Merge pull request #125 from OniriCorpe/check-binb-public-ip

add bind_public_ip check
This commit is contained in:
Kayou 2024-02-20 07:53:29 +01:00 committed by GitHub
commit 375034c333
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -1541,6 +1541,33 @@ class Configurations(TestSuite):
% location % location
) )
@test()
def bind_public_ip(self):
app = self.app
for filename in (
os.listdir(app.path + "/conf") if os.path.exists(app.path + "/conf") else []
):
try:
content = open(app.path + "/conf/" + filename).read()
except Exception as e:
yield Warning("Can't open/read %s: %s" % (filename, e))
return
for number, line in enumerate(content.split("\n"), 1):
comment = ("#", "//", ";")
if (
( "0.0.0.0" in line or "::" in line )
and not line.strip().startswith(comment)
):
for ip in re.split("[ \t,='\"(){}\[\]]", line):
if ip == "::" or ip.startswith("0.0.0.0"):
yield Info(
f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result "
"in a security issue as the reverse proxy and the SSO can be "
"bypassed by knowing a public IP (typically an IPv6) and the "
"app port. lease be sure that this behavior is intentional. "
"Maybe use '127.0.0.1' or '::1' instead."
)
############################################# #############################################
# __ __ _ __ _ # # __ __ _ __ _ #