Using sockets is security-sensitive. It has led in the past to the following vulnerabilities:

Sockets are vulnerable in multiple ways:

This rules flags code that creates sockets. It matches only the direct use of sockets, not use through frameworks or high-level APIs such as the use of http connections.

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

// === java.net ===
import java.net.Socket;
import java.net.InetAddress;
import java.net.Proxy;
import java.net.ServerSocket;
import javax.net.SocketFactory;

class A {
    void foo(SocketFactory factory, String address, int port, InetAddress localAddr, int localPort, boolean stream,
            String host, Proxy proxy, int backlog, InetAddress bindAddr)
            throws Exception {
        new Socket(); // Sensitive.
        new Socket(address, port); // Sensitive.
        new Socket(address, port, localAddr, localPort); // Sensitive.
        new Socket(host, port, stream); // Sensitive.
        new Socket(proxy); // Sensitive.
        new Socket(host, port); // Sensitive.
        new Socket(host, port, stream); // Sensitive.
        new Socket(host, port, localAddr, localPort); // Sensitive.

        new ServerSocket(); // Sensitive.
        new ServerSocket(port); // Sensitive.
        new ServerSocket(port, backlog); // Sensitive.
        new ServerSocket(port, backlog, bindAddr); // Sensitive.

        factory.createSocket(); // Sensitive
    }
}

abstract class mySocketFactory extends SocketFactory { // Sensitive. Review how the sockets are created.
    // ...
}
// === java.nio.channels ===
import java.net.SocketAddress;
import java.nio.channels.AsynchronousChannelGroup;
import java.nio.channels.AsynchronousServerSocketChannel;
import java.nio.channels.AsynchronousSocketChannel;
import java.nio.channels.SocketChannel;
import java.nio.channels.ServerSocketChannel;

class A {
    void foo(AsynchronousChannelGroup group, SocketAddress remote) throws Exception {
        AsynchronousServerSocketChannel.open(); // Sensitive.
        AsynchronousServerSocketChannel.open(group); // Sensitive.
        AsynchronousSocketChannel.open(); // Sensitive.
        AsynchronousSocketChannel.open(group); // Sensitive.
        SocketChannel.open(); // Sensitive.
        SocketChannel.open(remote); // Sensitive.
        ServerSocketChannel.open(); // Sensitive.
    }
}
// === Netty ===
import io.netty.channel.ChannelInitializer;
import io.netty.channel.socket.ServerSocketChannel;
import io.netty.channel.socket.SocketChannel;

class CustomChannelInitializer extends ChannelInitializer<ServerSocketChannel> { // Sensitive. Review how the SocketChannel is used.
    @Override
    protected void initChannel(ServerSocketChannel ch) throws Exception {
    }
}

class A {
    void foo() {
        new ChannelInitializer<SocketChannel>() {  // Sensitive
            @Override
            public void initChannel(SocketChannel ch) throws Exception {
                // ...
            }
        };
    }
}

See

Deprecated

This rule is deprecated, and will eventually be removed.