fix(server): probe Docker publish address for host ports

Author: hittyt

server/opensandbox_server/services/docker_port_allocator.py

@@ -23,7 +23,10 @@
 from opensandbox_server.services.constants import SandboxErrorCodes
 
 DOCKER_PUBLISH_HOST = "0.0.0.0"
-PORT_PROBE_HOST = "127.0.0.1"
+# The probe is a short-lived availability check and must match Docker's
+# publish scope; probing only localhost can miss ports bound on other host
+# interfaces that Docker would later fail to publish.
+PORT_PROBE_HOST = DOCKER_PUBLISH_HOST
 
 
 def normalize_container_port_spec(port_spec: str) -> str:
@@ -59,6 +62,9 @@ def allocate_host_port(
         with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
             sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
             try:
+                # This does not listen for or accept connections; it mirrors the
+                # later Docker publish binding to catch host-wide port conflicts.
+                # codeql[py/bind-socket-all-network-interfaces]
                 sock.bind((PORT_PROBE_HOST, port))
             except OSError:
                 continue

server/tests/test_docker_port_allocator.py

@@ -32,7 +32,7 @@ def bind(self, address):
         self._bound_addresses.append(address)
 
 
-def test_allocate_host_port_probes_loopback_only(monkeypatch) -> None:
+def test_allocate_host_port_probes_docker_publish_address(monkeypatch) -> None:
     bound_addresses: list[tuple[str, int]] = []
 
     monkeypatch.setattr(docker_port_allocator.random, "randint", lambda min_port, max_port: 45678)