kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: defaulthttpclient-is-deprecated
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT
      asvs:
        section: V9 Communications Verification Requirements
        control_id: 9.1.3 Weak TLS
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements
        version: "4"
      category: security
      technology:
        - kotlin
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      vulnerability_class:
        - Cryptographic Issues
    message: DefaultHttpClient is deprecated. Further, it does not support
      connections using TLS1.2, which makes using DefaultHttpClient a security
      hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.
    severity: WARNING
    languages:
      - kt
    pattern: DefaultHttpClient(...)
    fix-regex:
      regex: DefaultHttpClient
      replacement: SystemDefaultHttpClient

Examples

defaulthttpclient-is-deprecated.kt

// cf. https://mkyong.com/java/the-type-defaulthttpclient-is-deprecated/

package com.exampleweb.controller

import org.apache.http.Header
import org.apache.http.HttpResponse
import org.apache.http.client.HttpClient
import org.apache.http.client.methods.HttpGet
import org.apache.http.impl.client.DefaultHttpClient

public class WebCrawler {

    public fun crawl(args: Array<String>): Void {
        // ruleid: defaulthttpclient-is-deprecated
        val client: HttpClient = DefaultHttpClient()
        val request: HttpGet = HttpGet("http://google.com")
        val response: HttpResponse= client.execute(request)
    }

}

public class SecureWebCrawler {

    public fun crawl(args: Array<String>): Void {
        // ok: defaulthttpclient-is-deprecated
        val client: HttpClient = SystemDefaultHttpClient()
        val request: HttpGet = HttpGet("http://google.com")
        val response: HttpResponse= client.execute(request)
    }

}