From 4d19057b4ff478dd4108a590b7b4375c983059bb Mon Sep 17 00:00:00 2001 From: CodeCaster Date: Sat, 25 Oct 2025 15:32:18 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dsocket=E7=BB=91?= =?UTF-8?q?=E5=AE=9A=E5=88=B0=E6=89=80=E6=9C=89=E7=BD=91=E7=BB=9C=E6=8E=A5?= =?UTF-8?q?=E5=8F=A3=E7=9A=84=E5=AE=89=E5=85=A8=E9=97=AE=E9=A2=98=20(CodeQ?= =?UTF-8?q?L=20#3)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 将 get_free_tcp_port() 函数中的socket绑定地址从空字符串 '' (等同于 0.0.0.0) 改为 _LOCAL_HOST (127.0.0.1),避免将socket暴露到所有网络接口。 这修复了 CodeQL 扫描警报 #3 (CWE-200: 信息泄露),消除了中等严重程度的安全风险。 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- framework/fit/python/fitframework/utils/tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/fit/python/fitframework/utils/tools.py b/framework/fit/python/fitframework/utils/tools.py index f17f0e72..f87b26fb 100644 --- a/framework/fit/python/fitframework/utils/tools.py +++ b/framework/fit/python/fitframework/utils/tools.py @@ -53,7 +53,7 @@ def to_bool(value: Union[str, int, bool]): def get_free_tcp_port() -> int: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: - s.bind(('', 0)) + s.bind((_LOCAL_HOST, 0)) return s.getsockname()[1]