problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request

profile photo of semgrepsemgrep
Author
6,272
Download Count*
LGPL Commons Clause
License

Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: http-components-request
    message: Checks for requests sent via Apache HTTP Components to http:// URLS.
      This is dangerous because the server is attempting to connect to a website
      that does not encrypt traffic with TLS. Instead, send requests only to
      https:// URLS.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://hc.apache.org/httpcomponents-client-ga/quickstart.html
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - java
    fix-regex:
      regex: "[Hh][Tt][Tt][Pp]://"
      replacement: https://
      count: 1
    pattern-either:
      - pattern: |
          $HTTPCLIENT = HttpClients.$CREATE(...);
          ...
          $HTTPREQ = new $HTTPFUNC("=~/[hH][tT][tT][pP]://.*/");
          ...
          $RESPONSE = $HTTPCLIENT.execute($HTTPREQ);
      - pattern: >
          $HTTPCLIENT = HttpClients.$CREATE(...);

          ...

          $RESPONSE = $HTTPCLIENT.execute(new $HTTPFUNC("=~/[hH][tT][tT][pP]://.*/"));

Examples

http-components-request.java

class Bad {
    public void bad1() {
        // ruleid: http-components-request
        CloseableHttpClient httpclient = HttpClients.createDefault();
        HttpGet httpGet = new HttpGet("http://targethost/homepage");
        CloseableHttpResponse response1 = httpclient.execute(httpGet);
    }

    public void bad2() {
        // ruleid: http-components-request
        CloseableHttpClient httpclient = HttpClients.createDefault();
        System.out.println("hello");
        CloseableHttpResponse response1 = httpclient.execute(new HttpPost("http://example.com"));
    }

    public void bad3() {
        // ruleid: http-components-request
        CloseableHttpClient httpclient = HttpClients.createDefault();
        CloseableHttpResponse response1 = httpclient.execute(new HttpPost("http://example.com"));
    }
}

class Ok {
    public void ok1() {
        // ok: http-components-request
        CloseableHttpClient httpclient = HttpClients.createDefault();
        HttpGet httpGet = new HttpGet("https://targethost/homepage");
        CloseableHttpResponse response1 = httpclient.execute(httpGet);
    }

    public void ok2() {
        // ok: http-components-request
        CloseableHttpClient httpclient = HttpClients.createDefault();
        System.out.println("hello");
        CloseableHttpResponse response1 = httpclient.execute(new HttpPost("https://example.com"));
    }

    public void ok3() {
        // ok: http-components-request
        CloseableHttpClient httpclient = HttpClients.createDefault();
        CloseableHttpResponse response1 = httpclient.execute(new HttpPost("https://example.com"));
    }
}