problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*
LGPL Commons Clause
License

Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: gorequest-http-request
    message: Checks for requests to http (unencrypted) sites using gorequest, a
      popular HTTP client library. This is dangerous because it could result in
      plaintext PII being passed around the network.
    severity: WARNING
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://github.com/parnurzeal/gorequest
      subcategory:
        - vuln
      technology:
        - gorequest
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    pattern-either:
      - patterns:
          - pattern-inside: |
              $REQ = gorequest.New()
              ...
              $RES = ...
          - pattern: |
              $REQ.$FUNC("=~/[hH][tT][tT][pP]://.*/")
          - metavariable-regex:
              metavariable: $FUNC
              regex: (Get|Post|Delete|Head|Put|Patch)
      - patterns:
          - pattern: gorequest.New().$FUNC("=~/[hH][tT][tT][pP]://.*/")
          - metavariable-regex:
              metavariable: $FUNC
              regex: (Get|Post|Delete|Head|Put|Patch)

Examples

gorequest-http-request.go

func bad1() {
    request := gorequest.New()
    // ruleid: gorequest-http-request
    resp, body, errs := request.Get("http://example.com").
        RedirectPolicy(redirectPolicyFunc).
        Set("If-None-Match", `W/"wyzzy"`).
        End()
}

func bad2() {
    request := gorequest.New()
    // ruleid: gorequest-http-request
    resp, body, errs := request.Post("http://example.com").End()
}

func bad3() {
    // ruleid: gorequest-http-request
    resp, body, errs := gorequest.New().Delete("http://example.com/").End()
}

func ok1() {
    // ok: gorequest-http-request
    request := gorequest.New().Proxy("http://proxy:999")
}

func ok2() {
    request := gorequest.New()
    // ok: gorequest-http-request
    resp, body, errs := request.Get("https://example.com").
        RedirectPolicy(redirectPolicyFunc).
        Set("If-None-Match", `W/"wyzzy"`).
        End()
}

func ok3() {
    request := gorequest.New()
    // ok: gorequest-http-request
    resp, body, errs := request.Post("https://example.com").End()
}

func ok4() {
    // ok: gorequest-http-request
    resp, body, errs := gorequest.New().Delete("https://example.com/").End()
}