problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request

profile photo of semgrepsemgrep
Author
6,272
Download Count*

Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.

Run Locally

Run in CI

Defintion

rules:
  - id: http-customized-request
    message: Checks for requests sent via http.NewRequest to http:// URLS. This is
      dangerous because the server is attempting to connect to a website that
      does not encrypt traffic with TLS. Instead, send requests only to https://
      URLS.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://golang.org/pkg/net/http/#NewRequest
      subcategory:
        - vuln
      technology:
        - go
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - go
    fix-regex:
      regex: "[Hh][Tt][Tt][Pp]://"
      replacement: https://
      count: 1
    pattern: |
      http.NewRequest(..., "=~/[hH][tT][tT][pP]://.*/", ...)

Examples

http-customized-request.go

func bad1() {
    // ruleid: http-customized-request
    req, err := http.NewRequest("GET", "http://example.com", nil)
}

func ok1() {
    // ok: http-customized-request
    req, err := http.NewRequest("GET", "https://example.com", nil)
}