[Rule] JS Express.js app listen without host

[inkz]

Rule Description

app listen without host:

If host is omitted, the server will accept connections on the unspecified IPv6 address (::) when IPv6 is available, or the unspecified IPv4 address (0.0.0.0) otherwise.

What does this rule intend to find?

Examples or references

const express = require('express')
const app = express()
const port = 3000

app.get('/dangerous', (req, res) => {
  /* [...] */
  console.log("Access to dangerous function: "+req.ip);
  /* [...] */
});

app.listen(port, () => console.log(`Example app listening on port ${port}!`))

Put an example or references here

http://expressjs.com/en/5x/api.html#app.listen https://nodejs.org/api/net.html#serverlistenport-host-backlog-callback

Additional information

More information that would help someone write this rule!

PR Checklist

• [ ] This ticket has links, references, or examples.
• [ ] The rule has true positive and true negative test cases in a file that matches the rule name.

If the rule is my-rule, the test file name should be my-rule.js.

True positives are marked by comments with ruleid: <my-rule> and true negatives are marked by comments with ok: <my-rule>.

• [ ] The rule has a good message. A good message includes:

1. A description of the pattern (e.g., missing parameter, dangerous flag, out-of-order function calls).
2. A description of why this pattern was detected (e.g., logic bug, introduces a security vulnerability, bad practice).
3. An alternative that resolves the issue (e.g., use another function, validate data first, discard the dangerous flag).

• [ ] After the PR has been reviewed and approved, merge the rule and close this ticket! Thanks for contributing!

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.