diff --git a/.changes/unreleased/Security-20240522-094540.yaml b/.changes/unreleased/Security-20240522-094540.yaml new file mode 100644 index 00000000000..b35f96dc084 --- /dev/null +++ b/.changes/unreleased/Security-20240522-094540.yaml @@ -0,0 +1,6 @@ +kind: Security +body: Explicitly bind to localhost in docs serve +time: 2024-05-22T09:45:40.748185-04:00 +custom: + Author: ChenyuLInx michelleark + Issue: "10209" diff --git a/core/dbt/task/docs/serve.py b/core/dbt/task/docs/serve.py index b6aca15190c..c0cd4e570ac 100644 --- a/core/dbt/task/docs/serve.py +++ b/core/dbt/task/docs/serve.py @@ -20,7 +20,7 @@ def run(self): if self.args.browser: webbrowser.open_new_tab(f"http://localhost:{port}") - with socketserver.TCPServer(("", port), SimpleHTTPRequestHandler) as httpd: + with socketserver.TCPServer(("127.0.0.1", port), SimpleHTTPRequestHandler) as httpd: click.echo(f"Serving docs at {port}") click.echo(f"To access from your browser, navigate to: http://localhost:{port}") click.echo("\n\n") diff --git a/tests/unit/task/docs/__init__.py b/tests/unit/task/docs/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/unit/task/docs/test_serve.py b/tests/unit/task/docs/test_serve.py new file mode 100644 index 00000000000..cedb234a205 --- /dev/null +++ b/tests/unit/task/docs/test_serve.py @@ -0,0 +1,23 @@ +from http.server import SimpleHTTPRequestHandler +from unittest.mock import MagicMock, patch + +import pytest + +from dbt.task.docs.serve import ServeTask + + +@pytest.fixture +def serve_task(): + # Set up + task = ServeTask(config=MagicMock(), args=MagicMock()) + task.config.project_target_path = "." + task.args.port = 8000 + return task + + +def test_serve_bind_to_127(serve_task): + serve_task.args.browser = False + with patch("dbt.task.docs.serve.socketserver.TCPServer") as patched_TCPServer: + patched_TCPServer.return_value = MagicMock() + serve_task.run() + patched_TCPServer.assert_called_once_with(("127.0.0.1", 8000), SimpleHTTPRequestHandler)