avoid-bind-to-all-interfaces-go

Author: ESS-ENN

rules/go/security/avoid-bind-to-all-interfaces-go.yml

@@ -0,0 +1,30 @@
+id: avoid-bind-to-all-interfaces-go
+language: go
+severity: warning
+message: >-
+  "Detected a network listener listening on 0.0.0.0 or an empty string.
+      This could unexpectedly expose the server publicly as it binds to all
+      available interfaces. Instead, specify another IP address that is not
+      0.0.0.0 nor the empty string."
+note: >-
+  [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor
+  [REFERENCES]
+      -  https://owasp.org/Top10/A01_2021-Broken_Access_Control
+
+rule:
+  not:
+    has:
+      stopBy: end
+      kind: ERROR
+  any:
+    - pattern: tls.Listen($NETWORK, $IP $$$)
+    - pattern: net.Listen($NETWORK, $IP $$$)
+
+constraints:
+  IP:
+    any:
+      - kind: interpreted_string_literal
+        regex: ^"0.0.0.0:.*"$|^":.*"$|^'0.0.0.0:.*'$|^':.*'$
+      - kind: raw_string_literal
+        regex: ^`0.0.0.0:.*`$|^`:.*`$
+

tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml

@@ -0,0 +1,16 @@
+id: avoid-bind-to-all-interfaces-go
+snapshots:
+  ? |
+    l, err := net.Listen("tcp", "0.0.0.0:2000")
+  : labels:
+    - source: net.Listen("tcp", "0.0.0.0:2000")
+      style: primary
+      start: 10
+      end: 43
+  ? |
+    l, err := net.Listen("tcp", ":2000")
+  : labels:
+    - source: net.Listen("tcp", ":2000")
+      style: primary
+      start: 10
+      end: 36

tests/go/avoid-bind-to-all-interfaces-go-test.yml

@@ -0,0 +1,9 @@
+id: avoid-bind-to-all-interfaces-go
+valid:
+  - |
+    l, err := net.Listen("tcp", "192.168.1.101:2000")
+invalid:
+  - |
+    l, err := net.Listen("tcp", "0.0.0.0:2000")
+  - |
+    l, err := net.Listen("tcp", ":2000")