fix: 修复socket绑定到所有网络接口的安全问题 (CodeQL)

[CodeCasterX]

🔗 相关问题 / Related Issue

Issue 链接 / Issue Link:

• 我已经创建了相关 Issue 并进行了讨论 / I have created and discussed the related issue
• 这是一个微小的修改（如错别字），不需要 Issue / This is a trivial change (like typo fix) that doesn't need an issue

📋 变更类型 / Type of Change

• 🐛 Bug 修复 / Bug fix (non-breaking change which fixes an issue)
• ✨ 新功能 / New feature (non-breaking change which adds functionality)
• 💥 破坏性变更 / Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 文档更新 / Documentation update
• 🔧 重构 / Refactoring (no functional changes)
• ⚡ 性能优化 / Performance improvement
• 📦 依赖升级 / Dependency upgrade (update dependencies to newer versions)
• 🚀 功能增强 / Feature enhancement (improve existing functionality without breaking changes)
• 🧹 代码清理 / Code cleanup

📝 变更目的 / Purpose of the Change

修复 CodeQL 代码扫描发现的安全问题：Binding a socket to all network interfaces (CWE-200: 信息泄露)

问题描述：
在 framework/fit/python/fitframework/utils/tools.py:56 的 get_free_tcp_port() 函数中，socket 使用空字符串 '' 作为绑定地址，这等同于 0.0.0.0，会将 socket 绑定到所有可用的网络接口，存在安全风险。

安全风险：

• 将端口暴露给所有网络接口，任何能够路由到该机器的 IPv4 地址都可能访问该端口
• 违反最小权限原则
• 严重程度：Medium (CodeQL error 级别)

Fix Description:
Fixed the CodeQL code scanning security issue: Binding a socket to all network interfaces (CWE-200: Information Exposure)

The get_free_tcp_port() function was binding socket to all interfaces using empty string '' (equivalent to 0.0.0.0), which exposes the socket to all network interfaces.

📋 主要变更 / Brief Changelog

• 将 get_free_tcp_port() 函数中的 socket 绑定地址从 '' 改为 _LOCAL_HOST (127.0.0.1)
• 使用已定义的常量 _LOCAL_HOST，保持代码一致性
• 修复 CodeQL 扫描警报 (CWE-200)

Main Changes:

• Changed socket binding address from '' to _LOCAL_HOST (127.0.0.1) in get_free_tcp_port() function
• Used existing _LOCAL_HOST constant for code consistency
• Fixed CodeQL scanning alert (CWE-200)

🧪 验证变更 / Verifying this Change

测试步骤 / Test Steps

1. 功能验证 / Functional Verification

   • get_free_tcp_port() 函数依然能够正确获取系统分配的空闲端口号
   • 该函数的调用者（get_http_server_port() 和 get_https_server_port()）功能正常

2. 安全验证 / Security Verification

   • Socket 仅绑定到本地回环接口 (127.0.0.1)，不再暴露到外部网络
   • CodeQL 代码扫描应将警报 标记为已修复

3. 兼容性验证 / Compatibility Verification

   • 修改完全向后兼容，不影响任何现有功能
   • 端口分配逻辑保持不变

测试覆盖 / Test Coverage

• 我已经添加了单元测试 / I have added unit tests
  • (该函数当前没有单元测试，修复是向后兼容的，不影响功能)
• 所有现有测试都通过 / All existing tests pass
• 我已经进行了手动测试 / I have performed manual testing
  • (已验证代码修改的正确性和安全性)

📸 截图 / Screenshots

修改前 (不安全):

def get_free_tcp_port() -> int:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.bind(('', 0))  # ⚠️ 绑定到所有网络接口
        return s.getsockname()[1]

修改后 (安全):

def get_free_tcp_port() -> int:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.bind((_LOCAL_HOST, 0))  # ✅ 仅绑定到 127.0.0.1
        return s.getsockname()[1]

✅ 贡献者检查清单 / Contributor Checklist

基本要求 / Basic Requirements:

• 确保有 GitHub Issue 对应这个变更（微小变更如错别字除外）/ Make sure there is a Github issue filed for the change (trivial changes like typos excluded)
  • CodeQL 代码扫描警报 作为 Issue 依据
• 你的 Pull Request 只解决一个 Issue，没有包含其他不相关的变更 / Your PR addresses just this issue, without pulling in other changes - one PR resolves one issue
• PR 中的每个 commit 都有有意义的主题行和描述 / Each commit in the PR has a meaningful subject line and body

代码质量 / Code Quality:

• 我的代码遵循项目的代码规范 / My code follows the project's coding standards
• 我已经进行了自我代码审查 / I have performed a self-review of my code
• 我已经为复杂的代码添加了必要的注释 / I have commented my code, particularly in hard-to-understand areas
  • (该修改非常简单直接，不需要额外注释)

测试要求 / Testing Requirements:

• 我已经编写了必要的单元测试来验证逻辑正确性 / I have written necessary unit-tests to verify the logic correction
  • (该函数功能简单且修改完全兼容，不需要新增测试)
• 当存在跨模块依赖时，我尽量使用了 mock / I have used mocks when cross-module dependencies exist
  • (该修改无跨模块依赖)
• 基础检查通过：mvn -B clean package -Dmaven.test.skip=true，elsa README 中的编译检查 / Basic checks pass
  • (Python 模块修改，不影响 Java 编译)
• 单元测试通过：mvn clean install / Unit tests pass

文档和兼容性 / Documentation and Compatibility:

• 我已经更新了相应的文档 / I have made corresponding changes to the documentation
  • (代码修改是内部实现，不需要文档更新)
• 如果有破坏性变更，我已经在 PR 描述中详细说明 / If there are breaking changes, I have documented them in detail
  • (无破坏性变更)
• 我已经考虑了向后兼容性 / I have considered backward compatibility
  • (完全向后兼容)

📋 附加信息 / Additional Notes

影响范围 / Impact Scope

直接影响的函数：

• framework/fit/python/fitframework/utils/tools.py::get_free_tcp_port()

间接影响的调用者：

• framework/fit/python/plugin/fit_py_server_http/http_utils.py::get_http_server_port()
• framework/fit/python/plugin/fit_py_server_http/http_utils.py::get_https_server_port()

功能影响： 无影响，端口分配功能完全正常

向后兼容性： 100% 向后兼容

CodeQL 警报信息 / CodeQL Alert Information

• Alert Number:
• Rule: py/bind-socket-all-network-interfaces
• Severity: Medium (error)
• CWE: CWE-200 (Information Exposure)
• Message: '' binds a socket to all interfaces.

---

审查者注意事项 / Reviewer Notes:

这是一个简单但重要的安全修复：

1. 代码变更仅 1 行，风险极低
2. 修复了 CodeQL 中等严重程度的安全问题
3. 完全向后兼容，不影响任何现有功能
4. 建议合并后等待 CodeQL 重新扫描以确认警报已解决

Reviewer please note:

1. Only 1 line changed, minimal risk
2. Fixes a Medium severity CodeQL security issue
3. Fully backward compatible
4. Suggest waiting for CodeQL rescan after merge to confirm alert resolution