Python: Exclude AF_UNIX sockets from BindToAllInterfaces

tausbn · tausbn · commit 4f74d421b909 · 2026-03-27T16:55:10.000Z
Looking at the results of the the previous DCA run, there was a bunch of
false positives where `bind` was being used with a `AF_UNIX` socket (a
filesystem path encoded as a string), not a `(host, port)` tuple. These
results should be excluded from the query, as they are not vulnerable.

Ideally, we would just add `.TupleElement[0]` to the MaD sink, except we
don't actually support this in Python MaD...

So, instead I opted for a more low-tech solution: check that the
argument in question flows from a tuple in the local scope.

This eliminates a bunch of false positives on `python/cpython` leaving
behind four true positive results.
diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
@@ -42,8 +42,20 @@ private module BindToAllInterfacesFlow = TaintTracking::Global<BindToAllInterfac
 
 private import BindToAllInterfacesFlow
 
+/**
+ * Holds if `sink` is the address argument of a `bind()` call on a
+ * network socket (AF_INET or AF_INET6), as opposed to a Unix domain
+ * socket (AF_UNIX) which takes a plain string path.
+ *
+ * Network socket addresses are tuples like `(host, port)`, so we check
+ * that the sink argument is a tuple, by looking for flow from a tuple expression.
+ */
+private predicate isNetworkBind(DataFlow::Node sink) {
+  any(DataFlow::LocalSourceNode n | n.asExpr() instanceof Tuple).flowsTo(sink)
+}
+
 from PathNode source, PathNode sink
-where flowPath(source, sink)
+where flowPath(source, sink) and isNetworkBind(sink.getNode())
 select sink.getNode(), source, sink,
   "Binding a socket to all interfaces (using $@) is a security risk.", source.getNode(),
   "'" + source.getNode().asExpr().(StringLiteral).getText() + "'"
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
@@ -60,4 +60,5 @@ nodes
 | BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
 | BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
 | BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:62:9:62:10 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
 subpaths
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py
@@ -56,3 +56,7 @@ def start(self):
 from eventlet.green import socket as esocket
 es = esocket.socket(esocket.AF_INET, esocket.SOCK_STREAM)
 es.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces]
+
+# AF_UNIX socket binding should not be flagged
+us = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+us.bind('')
