Skip to content

Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces#6

Closed
tschm wants to merge 2 commits into
masterfrom
alert-autofix-3
Closed

Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces#6
tschm wants to merge 2 commits into
masterfrom
alert-autofix-3

Conversation

@tschm

@tschm tschm commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/tschm/pycharting/security/code-scanning/2

Use a dedicated local interface (loopback) for port probing instead of all interfaces.

Best fix in this file:

  • In find_free_port, replace both binds from ("", ...) to ("127.0.0.1", ...).
  • Keep all existing logic and behavior otherwise unchanged (ephemeral port allocation and range scanning still work).

This change is limited to:

  • src/pycharting/core/server.py
  • Function: find_free_port
  • Lines around current 81 and 90.

No new methods, imports, or dependencies are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…network interfaces

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@tschm, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e8f1b358-7c9a-4159-baea-775fde10099e

📥 Commits

Reviewing files that changed from the base of the PR and between 5c69e67 and 6af3b2d.

📒 Files selected for processing (2)
  • src/pycharting/core/server.py
  • tests/test_server.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch alert-autofix-3

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

find_free_port now binds to 127.0.0.1 (security alert fix), but
test_raises_on_no_free_port still occupied its port on all interfaces
(""). On Windows 0.0.0.0:port and 127.0.0.1:port don't conflict, so
find_free_port bound successfully and the expected RuntimeError was
never raised. Occupy the port on 127.0.0.1 so the conflict is seen.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tschm tschm marked this pull request as ready for review June 25, 2026 16:32
Copilot AI review requested due to automatic review settings June 25, 2026 16:32

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses code scanning alert #2 by ensuring find_free_port probes ports on the loopback interface instead of binding to all network interfaces, reducing unintended exposure during port availability checks.

Changes:

  • Updated find_free_port to bind to 127.0.0.1 for both ephemeral port allocation and range scanning.
  • Adjusted the corresponding unit test to occupy a port on 127.0.0.1 so the “no free port” scenario remains valid (including on Windows).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/pycharting/core/server.py Switches port probing binds from all interfaces to loopback (127.0.0.1).
tests/test_server.py Updates the test to bind on loopback to match find_free_port behavior and keep the conflict check reliable.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +90 to 92
s.bind(("127.0.0.1", port))
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
return port
@tschm

tschm commented Jun 25, 2026

Copy link
Copy Markdown
Owner Author

Superseded by alihaskar#40, which targets the upstream repo.

@tschm tschm closed this Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants