java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
121,021
Download Count*
LGPL Commons Clause
License

DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: defaulthttpclient-is-deprecated
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT
      asvs:
        section: V9 Communications Verification Requirements
        control_id: 9.1.3 Weak TLS
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    message: DefaultHttpClient is deprecated. Further, it does not support
      connections using TLS1.2, which makes using DefaultHttpClient a security
      hazard. Use HttpClientBuilder instead.
    severity: WARNING
    languages:
      - java
    pattern: new DefaultHttpClient(...);
    fix-regex:
      regex: DefaultHttpClient
      replacement: HttpClientBuilder

Examples

defaulthttpclient-is-deprecated.java

// cf. https://mkyong.com/java/the-type-defaulthttpclient-is-deprecated/

package com.exampleweb.controller;

import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;

public class WebCrawler {

    public void crawl(String[] args) throws Exception {
        // ruleid: defaulthttpclient-is-deprecated
        HttpClient client = new DefaultHttpClient();
        HttpGet request = new HttpGet("http://google.com");
        HttpResponse response = client.execute(request);
    }

}

public class SecureWebCrawler {

    public void crawl(String[] args) throws Exception {
        // ok: defaulthttpclient-is-deprecated
        HttpClient client = new SystemDefaultHttpClient();
        HttpGet request = new HttpGet("http://google.com");
        HttpResponse response = client.execute(request);
    }

}