SONARPY-3656: Create rule S8392: FastAPI applications should not bind to all network interfaces (#782)

GitOrigin-RevId: f9bd468fa03d1459f01f81425e6c0ecc2746f83a

Author: thomas-serre-sonarsource

python-checks/src/main/java/org/sonar/python/checks/FastAPIBindToAllNetworkInterfacesCheck.java

@@ -0,0 +1,58 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.StringLiteral;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S8392")
+public class FastAPIBindToAllNetworkInterfacesCheck extends PythonSubscriptionCheck {
+
+  private static final String ALL_NETWORK_INTERFACES = "0.0.0.0";
+  private final static TypeMatcher UVICORN_RUN_FUNCTION_TYPE_MATCHER = TypeMatchers.isType("uvicorn.run");
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkUvicornRunFunctionCalls);
+  }
+
+  private void checkUvicornRunFunctionCalls(SubscriptionContext ctx) {
+    CallExpression callExpr = ((CallExpression) ctx.syntaxNode());
+
+    if (!UVICORN_RUN_FUNCTION_TYPE_MATCHER.isTrueFor(callExpr.callee(), ctx)) {
+      return;
+    }
+
+    RegularArgument hostArgument = TreeUtils.argumentByKeyword("host", callExpr.arguments());
+    if (hostArgument == null) {
+      return;
+    }
+    StringLiteral hostValue = Expressions.extractStringLiteral(hostArgument.expression());
+    if (hostValue != null && ALL_NETWORK_INTERFACES.equals(hostValue.trimmedQuotesValue())) {
+      ctx.addIssue(hostArgument, "Avoid binding the FastAPI application to all network interfaces.");
+    }
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -218,6 +218,7 @@ public Stream<Class<?>> getChecks() {
       ExecStatementUsageCheck.class,
       ExitHasBadArgumentsCheck.class,
       ExpandingArchiveCheck.class,
+      FastAPIBindToAllNetworkInterfacesCheck.class,
       FastHashingOrPlainTextCheck.class,
       FieldDuplicatesClassNameCheck.class,
       FieldNameCheck.class,

python-checks/src/main/java/org/sonar/python/checks/utils/Expressions.java

@@ -109,6 +109,22 @@ public static boolean isTruthy(@Nullable Expression expression) {
     return Expressions.isTruthyInternal(expression);
   }
 
+  @CheckForNull
+  public static StringLiteral extractStringLiteral(Tree tree) {
+    if (tree.is(Tree.Kind.STRING_LITERAL)) {
+      return (StringLiteral) tree;
+    }
+
+    if (tree.is(Tree.Kind.NAME)) {
+      Expression assignedValue = Expressions.singleAssignedValue(((Name) tree));
+      if (assignedValue != null && assignedValue.is(Tree.Kind.STRING_LITERAL)) {
+        return ((StringLiteral) assignedValue);
+      }
+    }
+
+    return null;
+  }
+
   @CheckForNull
   public static Expression singleAssignedValue(Name name) {
     return singleAssignedValue(name, new HashSet<>());

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8392.html

@@ -0,0 +1,85 @@
+<p>This is an issue when a FastAPI application uses <code>uvicorn.run()</code> with <code>host="0.0.0.0"</code>, which binds the application to all
+available network interfaces on the host machine.</p>
+<h2>Why is this an issue?</h2>
+<p>When you start a FastAPI application, you need to specify which network interface it should listen on. A network interface is a connection point
+between your computer and a network.</p>
+<p>The special IP address <code>0.0.0.0</code> tells the application to bind to <strong>all</strong> network interfaces on the machine. This means the
+application becomes accessible from:</p>
+<ul>
+  <li> The local machine (localhost) </li>
+  <li> The local network (LAN) </li>
+  <li> Any public-facing network interfaces </li>
+  <li> Virtual network interfaces </li>
+</ul>
+<p>This broad exposure violates the principle of least privilege, which states that a system should only have access to the resources it needs to
+function. By binding to all interfaces, you’re making your application accessible from networks where it shouldn’t be reachable.</p>
+<p>In development environments, this is particularly risky because:</p>
+<ul>
+  <li> Development servers often lack production security measures </li>
+  <li> Debug mode may be enabled, exposing sensitive information </li>
+  <li> Authentication and authorization might not be fully implemented </li>
+  <li> The application may contain test data or incomplete features </li>
+</ul>
+<p>Even in production environments, binding to <code>0.0.0.0</code> should be a deliberate choice made with proper security controls in place, such
+as:</p>
+<ul>
+  <li> Firewalls restricting access to specific IP addresses </li>
+  <li> Reverse proxies handling TLS/SSL termination </li>
+  <li> Network segmentation isolating the application </li>
+  <li> Container orchestration platforms managing network access </li>
+</ul>
+<p>When these controls are absent, binding to all interfaces creates an unnecessarily large attack surface.</p>
+<h3>What is the potential impact?</h3>
+<p>Binding to all network interfaces can lead to several security risks:</p>
+<ul>
+  <li> <strong>Unauthorized access</strong>: Attackers on the same network or the internet can reach your application, potentially exploiting
+  vulnerabilities or accessing sensitive data. </li>
+  <li> <strong>Information disclosure</strong>: Debug endpoints, error messages, or development features may leak sensitive information about your
+  application’s structure, dependencies, or data. </li>
+  <li> <strong>Lateral movement</strong>: If an attacker compromises your network, an exposed development server can serve as an entry point to other
+  systems. </li>
+  <li> <strong>Data breaches</strong>: Unprotected applications may expose user data, API keys, database credentials, or other confidential
+  information. </li>
+</ul>
+<p>The severity depends on the environment and what security controls are in place, but the risk is highest in development environments where security
+measures are typically minimal.</p>
+<h2>How to fix it</h2>
+<p>For development and local testing, bind to localhost (<code>127.0.0.1</code> or <code>localhost</code>) instead of all interfaces. This ensures the
+application is only accessible from your local machine.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import uvicorn
+from fastapi import FastAPI
+
+app = FastAPI()
+
+if __name__ == "__main__":
+    uvicorn.run(app, host="0.0.0.0", port=8000)  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import uvicorn
+from fastapi import FastAPI
+
+app = FastAPI()
+
+if __name__ == "__main__":
+    uvicorn.run(app, host="127.0.0.1", port=8000)
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> FastAPI Documentation - Deployment Concepts - <a href="https://fastapi.tiangolo.com/deployment/concepts/">Official FastAPI documentation on
+  deployment concepts, including network binding considerations</a> </li>
+  <li> Uvicorn Documentation - Deployment - <a href="https://www.uvicorn.org/deployment/">Uvicorn server documentation on deployment and configuration
+  options</a> </li>
+  <li> FastAPI CLI Documentation - <a href="https://fastapi.tiangolo.com/fastapi-cli/">Documentation explaining the difference between development
+  (127.0.0.1) and production (0.0.0.0) binding</a> </li>
+</ul>
+<h3>Standards</h3>
+<ul>
+  <li> CWE 668 - <a href="https://cwe.mitre.org/data/definitions/668.html">Exposure of Resource to Wrong Sphere</a> </li>
+  <li> CIS 6.6.1 - <a href="https://www.cisecurity.org/controls/">CIS Controls - Network Security</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8392.json

@@ -0,0 +1,35 @@
+{
+  "title": "FastAPI applications should not bind to all network interfaces",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "fastapi",
+    "uvicorn",
+    "network",
+    "deployment",
+    "least-privilege"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8392",
+  "sqKey": "S8392",
+  "scope": "Main",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER"
+    },
+    "attribute": "CONVENTIONAL"
+  },
+  "securityStandards": {
+    "CWE": [
+      668
+    ],
+    "CIS": [
+      "6.6.1"
+    ]
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -308,6 +308,7 @@
     "S7943",
     "S7945",
     "S8375",
+    "S8392",
     "S8396"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/FastAPIBindToAllNetworkInterfacesCheckTest.java

@@ -0,0 +1,29 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class FastAPIBindToAllNetworkInterfacesCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/fastAPIBindToAllNetworkInterfaces.py", new FastAPIBindToAllNetworkInterfacesCheck());
+  }
+
+}

python-checks/src/test/java/org/sonar/python/checks/utils/ExpressionsTest.java

@@ -292,6 +292,36 @@ void singleAssignedNonNameValue() {
     assertThat(lastNameNonNameValue("x = 42; y")).isNull();
   }
 
+  @Test
+  void extract_string_literal_from_direct_literal() {
+    StringLiteral direct = Expressions.extractStringLiteral(exp("'aStringLiteral'"));
+    assertThat(direct).isNotNull();
+    assertThat(direct.trimmedQuotesValue()).isEqualTo("aStringLiteral");
+  }
+
+  @Test
+  void extract_string_literal_from_assigned_literal() {
+    // name assigned to a string literal
+    FileInput root = parse("x = 'aStringLiteralAssignedToAVariable'; x");
+    new SymbolTableBuilder(null).visitFileInput(root);
+    NameVisitor nameVisitor = new NameVisitor();
+    root.accept(nameVisitor);
+    Name lastName = nameVisitor.names.get(nameVisitor.names.size() - 1);
+    StringLiteral assigned = Expressions.extractStringLiteral(lastName);
+    assertThat(assigned).isNotNull();
+    assertThat(assigned.trimmedQuotesValue()).isEqualTo("aStringLiteralAssignedToAVariable");
+  }
+
+  @Test
+  void extract_string_literal_from_non_literal_return_null() {
+    FileInput root = parse("y = 42; y");
+    new SymbolTableBuilder(null).visitFileInput(root);
+    NameVisitor nameVisitor = new NameVisitor();
+    root.accept(nameVisitor);
+    Name lastY = nameVisitor.names.get(nameVisitor.names.size() - 1);
+    assertThat(Expressions.extractStringLiteral(lastY)).isNull();
+  }
+
   private Expression lastNameNonNameValue(String code) {
     FileInput root = parse(code);
     new SymbolTableBuilder(null).visitFileInput(root);

python-checks/src/test/resources/checks/fastAPIBindToAllNetworkInterfaces.py

@@ -0,0 +1,18 @@
+import uvicorn
+from fastapi import FastAPI
+from somewhere import my_host_name
+
+app = FastAPI()
+
+uvicorn.run(app, host="127.0.0.1")
+uvicorn.run(app, port=8000)
+uvicorn.run(app, host="127.0.0.1", port=8000)
+uvicorn.run(app, host="localhost", port=8000)
+uvicorn.run(app, host="192.168.1.100", port=8000)
+uvicorn.run(app, host=my_host_name, port=8000)
+
+uvicorn.run(app, host="0.0.0.0") # Noncompliant {{Avoid binding the FastAPI application to all network interfaces.}}
+uvicorn.run(app, host="0.0.0.0", port=8000) # Noncompliant
+uvicorn.run(app, host="0.0.0.0", port=8000, debug=True) # Noncompliant
+host_config = "0.0.0.0"
+uvicorn.run(app, host=host_config, port=8000) # Noncompliant