Dart Shelf Server Insecure Bind
Description
This detector identifies insecure network bindings in Dart Shelf servers that accept connections from all network interfaces without proper security context. When a server binds to all interfaces (like 0.0.0.0 or InternetAddress.anyIPv4) without security measures, it exposes the application to potential attacks from any network location.
Detection Strategy
• The detector analyzes Dart code that imports the 'shelf_io' package and uses the serve function
• It identifies function calls to the serve method imported from shelf_io
• The detector checks if the serve call lacks a security context parameter
• It examines the second argument (index 1) of the serve function call to determine if it represents a binding to all network interfaces
• A vulnerability is reported when the serve function is called with an argument that binds to all interfaces (such as InternetAddress.anyIPv4 or 0.0.0.0) without implementing proper security context
Vulnerable code example
import 'dart:io';
import 'package:shelf/shelf.dart';
import 'package:shelf/shelf_io.dart' as io;
Response _handler(Request request) => Response.ok('ok');
Future<void> vulnerable() async {
// VULNERABLE: HTTP server on all interfaces (0.0.0.0) without encryption...✅ Secure code example
import 'dart:io';
import 'package:shelf/shelf.dart';
import 'package:shelf/shelf_io.dart' as io;
Response _handler(Request request) => Response.ok('ok');
Future<void> secure() async {
// SECURE: Using loopback address limits access to local machine only...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.