problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.

Run Locally

Run in CI

Defintion

rules:
  - id: ftp-request
    message: Checks for outgoing connections to ftp servers. FTP does not encrypt
      traffic, possibly leading to PII being sent plaintext over the network.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server
        - https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    fix-regex:
      regex: "[fF][tT][pP]://"
      replacement: sftp://
      count: 1
    pattern-either:
      - pattern: |
          FTPClient $FTPCLIENT = new FTPClient();
          ...
          $FTPCLIENT.connect(...);
      - pattern: |
          URL $URL = new URL("=~/^[fF][tT][pP]://.*/");
          ...
          URLConnection $CONN = $URL.openConnection(...);

Examples

ftp-request.java

class Bad {
    public static void badftp1() {
        String server = "www.yourserver.net";
        int port = 21;
        // ruleid: ftp-request
        FTPClient ftpClient = new FTPClient();
        ftpClient.connect(server, port);
    }

    public static void badftp2() {
        // ruleid: ftp-request
        URL url = new URL("ftp://user01:pass1234@ftp.foo.com/README.txt;type=i");
        URLConnection urlc = url.openConnection();
        InputStream is = urlc.getInputStream(); // To download
        OutputStream os = urlc.getOutputStream(); // To upload
    }
}

class Ok {
    public static void badftp2() {
        // ok: ftp-request
        URL url = new URL("sftp://user01:pass1234@ftp.foo.com/README.txt;type=i");
        URLConnection urlc = url.openConnection();
        InputStream is = urlc.getInputStream(); // To download
        OutputStream os = urlc.getOutputStream(); // To upload
    }
}