problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request
semgrep
Author
6,272
Download Count*
License
Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.
Run Locally
Run in CI
Defintion
rules:
- id: http-components-request
message: Checks for requests sent via Apache HTTP Components to http:// URLS.
This is dangerous because the server is attempting to connect to a website
that does not encrypt traffic with TLS. Instead, send requests only to
https:// URLS.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://hc.apache.org/httpcomponents-client-ga/quickstart.html
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
fix-regex:
regex: "[Hh][Tt][Tt][Pp]://"
replacement: https://
count: 1
pattern-either:
- pattern: |
$HTTPCLIENT = HttpClients.$CREATE(...);
...
$HTTPREQ = new $HTTPFUNC("=~/[hH][tT][tT][pP]://.*/");
...
$RESPONSE = $HTTPCLIENT.execute($HTTPREQ);
- pattern: >
$HTTPCLIENT = HttpClients.$CREATE(...);
...
$RESPONSE = $HTTPCLIENT.execute(new $HTTPFUNC("=~/[hH][tT][tT][pP]://.*/"));
Examples
http-components-request.java
class Bad {
public void bad1() {
// ruleid: http-components-request
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpGet httpGet = new HttpGet("http://targethost/homepage");
CloseableHttpResponse response1 = httpclient.execute(httpGet);
}
public void bad2() {
// ruleid: http-components-request
CloseableHttpClient httpclient = HttpClients.createDefault();
System.out.println("hello");
CloseableHttpResponse response1 = httpclient.execute(new HttpPost("http://example.com"));
}
public void bad3() {
// ruleid: http-components-request
CloseableHttpClient httpclient = HttpClients.createDefault();
CloseableHttpResponse response1 = httpclient.execute(new HttpPost("http://example.com"));
}
}
class Ok {
public void ok1() {
// ok: http-components-request
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpGet httpGet = new HttpGet("https://targethost/homepage");
CloseableHttpResponse response1 = httpclient.execute(httpGet);
}
public void ok2() {
// ok: http-components-request
CloseableHttpClient httpclient = HttpClients.createDefault();
System.out.println("hello");
CloseableHttpResponse response1 = httpclient.execute(new HttpPost("https://example.com"));
}
public void ok3() {
// ok: http-components-request
CloseableHttpClient httpclient = HttpClients.createDefault();
CloseableHttpResponse response1 = httpclient.execute(new HttpPost("https://example.com"));
}
}
Short Link: https://sg.run/oxD0