problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request

profile photo of semgrepsemgrep
Author
6,272
Download Count*
LGPL Commons Clause
License

Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ftp-request
    message: Checks for outgoing connections to ftp servers. FTP does not encrypt
      traffic, possibly leading to PII being sent plaintext over the network.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server
        - https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - java
    fix-regex:
      regex: "[fF][tT][pP]://"
      replacement: sftp://
      count: 1
    pattern-either:
      - pattern: |
          FTPClient $FTPCLIENT = new FTPClient();
          ...
          $FTPCLIENT.connect(...);
      - pattern: |
          URL $URL = new URL("=~/^[fF][tT][pP]://.*/");
          ...
          URLConnection $CONN = $URL.openConnection(...);

Examples

ftp-request.java

class Bad {
    public static void badftp1() {
        String server = "www.yourserver.net";
        int port = 21;
        // ruleid: ftp-request
        FTPClient ftpClient = new FTPClient();
        ftpClient.connect(server, port);
    }

    public static void badftp2() {
        // ruleid: ftp-request
        URL url = new URL("ftp://user01:pass1234@ftp.foo.com/README.txt;type=i");
        URLConnection urlc = url.openConnection();
        InputStream is = urlc.getInputStream(); // To download
        OutputStream os = urlc.getOutputStream(); // To upload
    }
}

class Ok {
    public static void badftp2() {
        // ok: ftp-request
        URL url = new URL("sftp://user01:pass1234@ftp.foo.com/README.txt;type=i");
        URLConnection urlc = url.openConnection();
        InputStream is = urlc.getInputStream(); // To download
        OutputStream os = urlc.getOutputStream(); // To upload
    }
}