Skip to content

Fix code scanning alert: bind socket to 127.0.0.1 instead of all interfaces#40

Open
tschm wants to merge 2 commits into
alihaskar:masterfrom
tschm:alert-autofix-3
Open

Fix code scanning alert: bind socket to 127.0.0.1 instead of all interfaces#40
tschm wants to merge 2 commits into
alihaskar:masterfrom
tschm:alert-autofix-3

Conversation

@tschm

@tschm tschm commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Resolves the "Binding a socket to all network interfaces" code scanning alert in find_free_port.

  • src/pycharting/core/server.py: bind to 127.0.0.1 instead of "" (all interfaces).
  • tests/test_server.py: occupy the test port on 127.0.0.1 so the no-free-port case still conflicts (without this, the test fails on Windows, where 0.0.0.0:port and 127.0.0.1:port don't collide).

🤖 Generated with Claude Code

tschm and others added 2 commits June 25, 2026 20:23
…network interfaces

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
find_free_port now binds to 127.0.0.1 (security alert fix), but
test_raises_on_no_free_port still occupied its port on all interfaces
(""). On Windows 0.0.0.0:port and 127.0.0.1:port don't conflict, so
find_free_port bound successfully and the expected RuntimeError was
never raised. Occupy the port on 127.0.0.1 so the conflict is seen.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 25, 2026 16:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security/code-scanning finding by ensuring find_free_port no longer binds to all network interfaces, and adjusts the corresponding unit test so port-collision behavior remains consistent on Windows.

Changes:

  • Update find_free_port to bind to 127.0.0.1 instead of all interfaces when probing ports.
  • Update the “no free port” test to occupy the port on 127.0.0.1 so the conflict is detected on Windows.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/pycharting/core/server.py Changes port-probing binds from all interfaces to loopback to satisfy the code-scanning alert.
tests/test_server.py Updates test socket binding to loopback so the occupied-port test remains valid on Windows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 78 to 82
if start_port is None:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("", 0))
s.bind(("127.0.0.1", 0))
return s.getsockname()[1]
Comment on lines 89 to 92
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind(("", port))
s.bind(("127.0.0.1", port))
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
return port
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants