Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces#6
Potential fix for code scanning alert no. 2: Binding a socket to all network interfaces#6tschm wants to merge 2 commits into
Conversation
…network interfaces Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
Warning Review limit reached
More reviews will be available in 42 minutes and 34 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
find_free_port now binds to 127.0.0.1 (security alert fix), but
test_raises_on_no_free_port still occupied its port on all interfaces
(""). On Windows 0.0.0.0:port and 127.0.0.1:port don't conflict, so
find_free_port bound successfully and the expected RuntimeError was
never raised. Occupy the port on 127.0.0.1 so the conflict is seen.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This pull request addresses code scanning alert #2 by ensuring find_free_port probes ports on the loopback interface instead of binding to all network interfaces, reducing unintended exposure during port availability checks.
Changes:
- Updated
find_free_portto bind to127.0.0.1for both ephemeral port allocation and range scanning. - Adjusted the corresponding unit test to occupy a port on
127.0.0.1so the “no free port” scenario remains valid (including on Windows).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/pycharting/core/server.py | Switches port probing binds from all interfaces to loopback (127.0.0.1). |
| tests/test_server.py | Updates the test to bind on loopback to match find_free_port behavior and keep the conflict check reliable. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| s.bind(("127.0.0.1", port)) | ||
| s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) | ||
| return port |
|
Superseded by alihaskar#40, which targets the upstream repo. |
Potential fix for https://github.com/tschm/pycharting/security/code-scanning/2
Use a dedicated local interface (loopback) for port probing instead of all interfaces.
Best fix in this file:
find_free_port, replace both binds from("", ...)to("127.0.0.1", ...).This change is limited to:
src/pycharting/core/server.pyfind_free_portNo new methods, imports, or dependencies are required.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.