problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request
semgrep
Author
6,272
Download Count*
License
Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.
Run Locally
Run in CI
Defintion
rules:
- id: ftp-request
message: Checks for outgoing connections to ftp servers. FTP does not encrypt
traffic, possibly leading to PII being sent plaintext over the network.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server
- https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
fix-regex:
regex: "[fF][tT][pP]://"
replacement: sftp://
count: 1
pattern-either:
- pattern: |
FTPClient $FTPCLIENT = new FTPClient();
...
$FTPCLIENT.connect(...);
- pattern: |
URL $URL = new URL("=~/^[fF][tT][pP]://.*/");
...
URLConnection $CONN = $URL.openConnection(...);
Examples
ftp-request.java
class Bad {
public static void badftp1() {
String server = "www.yourserver.net";
int port = 21;
// ruleid: ftp-request
FTPClient ftpClient = new FTPClient();
ftpClient.connect(server, port);
}
public static void badftp2() {
// ruleid: ftp-request
URL url = new URL("ftp://user01:pass1234@ftp.foo.com/README.txt;type=i");
URLConnection urlc = url.openConnection();
InputStream is = urlc.getInputStream(); // To download
OutputStream os = urlc.getOutputStream(); // To upload
}
}
class Ok {
public static void badftp2() {
// ok: ftp-request
URL url = new URL("sftp://user01:pass1234@ftp.foo.com/README.txt;type=i");
URLConnection urlc = url.openConnection();
InputStream is = urlc.getInputStream(); // To download
OutputStream os = urlc.getOutputStream(); // To upload
}
}
Short Link: https://sg.run/6n91