problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request
semgrepAuthor
6,272
Download Count*
License
Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.
Run Locally
Run in CI
Defintion
rules:
- id: gorequest-http-request
message: Checks for requests to http (unencrypted) sites using gorequest, a
popular HTTP client library. This is dangerous because it could result in
plaintext PII being passed around the network.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://github.com/parnurzeal/gorequest
subcategory:
- vuln
technology:
- gorequest
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- go
pattern-either:
- patterns:
- pattern-inside: |
$REQ = gorequest.New()
...
$RES = ...
- pattern: |
$REQ.$FUNC("=~/[hH][tT][tT][pP]://.*/")
- metavariable-regex:
metavariable: $FUNC
regex: (Get|Post|Delete|Head|Put|Patch)
- patterns:
- pattern: gorequest.New().$FUNC("=~/[hH][tT][tT][pP]://.*/")
- metavariable-regex:
metavariable: $FUNC
regex: (Get|Post|Delete|Head|Put|Patch)
Examples
gorequest-http-request.go
func bad1() {
request := gorequest.New()
// ruleid: gorequest-http-request
resp, body, errs := request.Get("http://example.com").
RedirectPolicy(redirectPolicyFunc).
Set("If-None-Match", `W/"wyzzy"`).
End()
}
func bad2() {
request := gorequest.New()
// ruleid: gorequest-http-request
resp, body, errs := request.Post("http://example.com").End()
}
func bad3() {
// ruleid: gorequest-http-request
resp, body, errs := gorequest.New().Delete("http://example.com/").End()
}
func ok1() {
// ok: gorequest-http-request
request := gorequest.New().Proxy("http://proxy:999")
}
func ok2() {
request := gorequest.New()
// ok: gorequest-http-request
resp, body, errs := request.Get("https://example.com").
RedirectPolicy(redirectPolicyFunc).
Set("If-None-Match", `W/"wyzzy"`).
End()
}
func ok3() {
request := gorequest.New()
// ok: gorequest-http-request
resp, body, errs := request.Post("https://example.com").End()
}
func ok4() {
// ok: gorequest-http-request
resp, body, errs := gorequest.New().Delete("https://example.com/").End()
}
Short Link: https://sg.run/5Q10