[python-package] [dask] bind socket to local IP when searching for open ports

[odaysec]

LightGBM/python-package/lightgbm/dask.py

Line 71 in f91dcfe

self.socket.bind(("", 0))

Fix the issue the socket should be bound to a specific interface instead of all interfaces. This can be achieved by replacing the empty string ("") with a specific IP address. If the IP address is not known in advance, it can be dynamically determined using socket.gethostbyname(socket.gethostname()), which retrieves the IP address of the current machine. This ensures that the socket is bound only to the local machine's primary interface.

The changes will be made in the _RemoteSocket.acquire method, specifically on line 71 where the bind call is made.

---

[jameslamb]

Thanks for taking the time to contribute. I'll test this in a true distributed cluster before merging it (not something that happens automatically in our CI).

I've also changed the title... in the future, please follow the security policy at https://github.com/microsoft/LightGBM/security/policy. Especially "do not report security vulnerabilities through public GitHub issues" (as you did by including a vulnerability ID in the PR title here).