problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.

Run Locally

Run in CI

Defintion

rules:
  - id: httpclient-http-request
    message: Checks for requests sent via HttpClient to http:// URLS. This is
      dangerous because the server is attempting to connect to a website that
      does not encrypt traffic with TLS. Instead, send requests only to https://
      URLS.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://openjdk.java.net/groups/net/httpclient/intro.html
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    fix-regex:
      regex: "[Hh][Tt][Tt][Pp]://"
      replacement: https://
      count: 1
    pattern-either:
      - patterns:
          - pattern: |
              URI.create("=~/[hH][tT][tT][pP]://.*/", ...)
          - pattern-inside: |
              HttpClient $CLIENT = ...;
              ...
              HttpRequest $REQ = ...;
              ...
              $CLIENT.sendAsync(...);
      - patterns:
          - pattern: |
              URI.create("=~/[hH][tT][tT][pP]://.*/", ...)
          - pattern-inside: |
              HttpClient $CLIENT = ...;
              ...
              HttpRequest $REQ = ...;
              ...
              $CLIENT.send(...);
      - patterns:
          - pattern: |
              URI.create($URI)
          - pattern-inside: |
              String $URI = "=~/[hH][tT][tT][pP]://.*/";
              ...
              HttpClient $CLIENT = ...;
              ...
              HttpRequest $REQ = ...;
              ...
              $CLIENT.send(...);
      - patterns:
          - pattern: |
              URI.create($URI)
          - pattern-inside: |
              String $URI = "=~/[hH][tT][tT][pP]://.*/";
              ...
              HttpClient $CLIENT = ...;
              ...
              HttpRequest $REQ = ...;
              ...
              $CLIENT.sendAsync(...);

Examples

httpclient-http-request.java

class Bad {
    public void sendbad1() {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
            // ruleid: httpclient-http-request
            .uri(URI.create("http://openjdk.java.net/"))
            .build();

        client.sendAsync(request, BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();
    }

    public void sendbad2() {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
            // ruleid: httpclient-http-request
            .uri(URI.create("http://openjdk.java.net/"))
            .timeout(Duration.ofMinutes(1))
            .header("Content-Type", "application/json")
            .POST(BodyPublishers.ofFile(Paths.get("file.json")))
            .build();

        client.sendAsync(request, BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();
    }

    public void sendbad3() {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
            // ruleid: httpclient-http-request
            .uri(URI.create("http://openjdk.java.net/"))
            .timeout(Duration.ofMinutes(1))
            .header("Content-Type", "application/json")
            .POST(BodyPublishers.ofFile(Paths.get("file.json")))
            .build();

        HttpResponse<String> response =
            client.send(request, BodyHandlers.ofString());
    }

    public void sendbad4() {
        HttpClient client = HttpClient.newBuilder()
            .version(Version.HTTP_2)
            .followRedirects(Redirect.SAME_PROTOCOL)
            .proxy(ProxySelector.of(new InetSocketAddress("www-proxy.com", 8080)))
            .authenticator(Authenticator.getDefault())
            .build();
        HttpRequest request = HttpRequest.newBuilder()
            // ruleid: httpclient-http-request
            .uri(URI.create("http://openjdk.java.net/"))
            .timeout(Duration.ofMinutes(1))
            .header("Content-Type", "application/json")
            .POST(BodyPublishers.ofFile(Paths.get("file.json")))
            .build();

        HttpResponse<String> response =
            client.send(request, BodyHandlers.ofString());
    }

    public void sendbad5() {
        String uri = "http://openjdk.java.net/";
        HttpClient client = HttpClient.newBuilder().build();
        HttpRequest request = HttpRequest.newBuilder()
                // ruleid: httpclient-http-request
                .uri(URI.create(uri))
                .POST(BodyPublishers.ofString(data))
                .build();

        HttpResponse<?> response = client.send(request, BodyHandlers.discarding());
        System.out.println(response.statusCode());
    }


    public void sendbad6() {
        String uri = "http://openjdk.java.net/";
        HttpClient client = HttpClient.newBuilder().build();
        HttpRequest request = HttpRequest.newBuilder()
                // ruleid: httpclient-http-request
                .uri(URI.create(uri))
                .POST(BodyPublishers.ofString(data))
                .build();

        client.sendAsync(request, BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();
    }
}

class Ok {
    public void sendok1() {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
            // ok: httpclient-http-request
            .uri(URI.create("https://openjdk.java.net/"))
            .build();

        client.sendAsync(request, BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();
    }

    public void sendok2() {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
            // ok: httpclient-http-request
            .uri(URI.create("https://openjdk.java.net/"))
            .timeout(Duration.ofMinutes(1))
            .header("Content-Type", "application/json")
            .POST(BodyPublishers.ofFile(Paths.get("file.json")))
            .build();

        client.sendAsync(request, BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();
    }

    public void sendok3() {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
            // ok: httpclient-http-request
            .uri(URI.create("https://openjdk.java.net/"))
            .timeout(Duration.ofMinutes(1))
            .header("Content-Type", "application/json")
            .POST(BodyPublishers.ofFile(Paths.get("file.json")))
            .build();

        HttpResponse<String> response =
            client.send(request, BodyHandlers.ofString());
    }

    public void sendok4() {
        HttpClient client = HttpClient.newBuilder()
            .version(Version.HTTP_2)
            .followRedirects(Redirect.SAME_PROTOCOL)
            .proxy(ProxySelector.of(new InetSocketAddress("www-proxy.com", 8080)))
            .authenticator(Authenticator.getDefault())
            .build();
        HttpRequest request = HttpRequest.newBuilder()
            // ok: httpclient-http-request
            .uri(URI.create("https://openjdk.java.net/"))
            .timeout(Duration.ofMinutes(1))
            .header("Content-Type", "application/json")
            .POST(BodyPublishers.ofFile(Paths.get("file.json")))
            .build();

        HttpResponse<String> response =
            client.send(request, BodyHandlers.ofString());
    }

    public void sendok5() {
        String uri = "https://openjdk.java.net/";
        HttpClient client = HttpClient.newBuilder().build();
        HttpRequest request = HttpRequest.newBuilder()
                // ok: httpclient-http-request
                .uri(URI.create(uri))
                .POST(BodyPublishers.ofString(data))
                .build();

        HttpResponse<?> response = client.send(request, BodyHandlers.discarding());
        System.out.println(response.statusCode());
    }


    public void sendok6() {
        String uri = "https://openjdk.java.net/";
        HttpClient client = HttpClient.newBuilder().build();
        HttpRequest request = HttpRequest.newBuilder()
                // ok: httpclient-http-request
                .uri(URI.create(uri))
                .POST(BodyPublishers.ofString(data))
                .build();

        client.sendAsync(request, BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();
    }
}