problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request
semgrepAuthor
6,272
Download Count*
License
Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.
Run Locally
Run in CI
Defintion
rules:
- id: httpclient-http-request
message: Checks for requests sent via HttpClient to http:// URLS. This is
dangerous because the server is attempting to connect to a website that
does not encrypt traffic with TLS. Instead, send requests only to https://
URLS.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://openjdk.java.net/groups/net/httpclient/intro.html
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
fix-regex:
regex: "[Hh][Tt][Tt][Pp]://"
replacement: https://
count: 1
pattern-either:
- patterns:
- pattern: |
URI.create("=~/[hH][tT][tT][pP]://.*/", ...)
- pattern-inside: |
HttpClient $CLIENT = ...;
...
HttpRequest $REQ = ...;
...
$CLIENT.sendAsync(...);
- patterns:
- pattern: |
URI.create("=~/[hH][tT][tT][pP]://.*/", ...)
- pattern-inside: |
HttpClient $CLIENT = ...;
...
HttpRequest $REQ = ...;
...
$CLIENT.send(...);
- patterns:
- pattern: |
URI.create($URI)
- pattern-inside: |
String $URI = "=~/[hH][tT][tT][pP]://.*/";
...
HttpClient $CLIENT = ...;
...
HttpRequest $REQ = ...;
...
$CLIENT.send(...);
- patterns:
- pattern: |
URI.create($URI)
- pattern-inside: |
String $URI = "=~/[hH][tT][tT][pP]://.*/";
...
HttpClient $CLIENT = ...;
...
HttpRequest $REQ = ...;
...
$CLIENT.sendAsync(...);
Examples
httpclient-http-request.java
class Bad {
public void sendbad1() {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
// ruleid: httpclient-http-request
.uri(URI.create("http://openjdk.java.net/"))
.build();
client.sendAsync(request, BodyHandlers.ofString())
.thenApply(HttpResponse::body)
.thenAccept(System.out::println)
.join();
}
public void sendbad2() {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
// ruleid: httpclient-http-request
.uri(URI.create("http://openjdk.java.net/"))
.timeout(Duration.ofMinutes(1))
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofFile(Paths.get("file.json")))
.build();
client.sendAsync(request, BodyHandlers.ofString())
.thenApply(HttpResponse::body)
.thenAccept(System.out::println)
.join();
}
public void sendbad3() {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
// ruleid: httpclient-http-request
.uri(URI.create("http://openjdk.java.net/"))
.timeout(Duration.ofMinutes(1))
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofFile(Paths.get("file.json")))
.build();
HttpResponse<String> response =
client.send(request, BodyHandlers.ofString());
}
public void sendbad4() {
HttpClient client = HttpClient.newBuilder()
.version(Version.HTTP_2)
.followRedirects(Redirect.SAME_PROTOCOL)
.proxy(ProxySelector.of(new InetSocketAddress("www-proxy.com", 8080)))
.authenticator(Authenticator.getDefault())
.build();
HttpRequest request = HttpRequest.newBuilder()
// ruleid: httpclient-http-request
.uri(URI.create("http://openjdk.java.net/"))
.timeout(Duration.ofMinutes(1))
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofFile(Paths.get("file.json")))
.build();
HttpResponse<String> response =
client.send(request, BodyHandlers.ofString());
}
public void sendbad5() {
String uri = "http://openjdk.java.net/";
HttpClient client = HttpClient.newBuilder().build();
HttpRequest request = HttpRequest.newBuilder()
// ruleid: httpclient-http-request
.uri(URI.create(uri))
.POST(BodyPublishers.ofString(data))
.build();
HttpResponse<?> response = client.send(request, BodyHandlers.discarding());
System.out.println(response.statusCode());
}
public void sendbad6() {
String uri = "http://openjdk.java.net/";
HttpClient client = HttpClient.newBuilder().build();
HttpRequest request = HttpRequest.newBuilder()
// ruleid: httpclient-http-request
.uri(URI.create(uri))
.POST(BodyPublishers.ofString(data))
.build();
client.sendAsync(request, BodyHandlers.ofString())
.thenApply(HttpResponse::body)
.thenAccept(System.out::println)
.join();
}
}
class Ok {
public void sendok1() {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
// ok: httpclient-http-request
.uri(URI.create("https://openjdk.java.net/"))
.build();
client.sendAsync(request, BodyHandlers.ofString())
.thenApply(HttpResponse::body)
.thenAccept(System.out::println)
.join();
}
public void sendok2() {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
// ok: httpclient-http-request
.uri(URI.create("https://openjdk.java.net/"))
.timeout(Duration.ofMinutes(1))
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofFile(Paths.get("file.json")))
.build();
client.sendAsync(request, BodyHandlers.ofString())
.thenApply(HttpResponse::body)
.thenAccept(System.out::println)
.join();
}
public void sendok3() {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
// ok: httpclient-http-request
.uri(URI.create("https://openjdk.java.net/"))
.timeout(Duration.ofMinutes(1))
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofFile(Paths.get("file.json")))
.build();
HttpResponse<String> response =
client.send(request, BodyHandlers.ofString());
}
public void sendok4() {
HttpClient client = HttpClient.newBuilder()
.version(Version.HTTP_2)
.followRedirects(Redirect.SAME_PROTOCOL)
.proxy(ProxySelector.of(new InetSocketAddress("www-proxy.com", 8080)))
.authenticator(Authenticator.getDefault())
.build();
HttpRequest request = HttpRequest.newBuilder()
// ok: httpclient-http-request
.uri(URI.create("https://openjdk.java.net/"))
.timeout(Duration.ofMinutes(1))
.header("Content-Type", "application/json")
.POST(BodyPublishers.ofFile(Paths.get("file.json")))
.build();
HttpResponse<String> response =
client.send(request, BodyHandlers.ofString());
}
public void sendok5() {
String uri = "https://openjdk.java.net/";
HttpClient client = HttpClient.newBuilder().build();
HttpRequest request = HttpRequest.newBuilder()
// ok: httpclient-http-request
.uri(URI.create(uri))
.POST(BodyPublishers.ofString(data))
.build();
HttpResponse<?> response = client.send(request, BodyHandlers.discarding());
System.out.println(response.statusCode());
}
public void sendok6() {
String uri = "https://openjdk.java.net/";
HttpClient client = HttpClient.newBuilder().build();
HttpRequest request = HttpRequest.newBuilder()
// ok: httpclient-http-request
.uri(URI.create(uri))
.POST(BodyPublishers.ofString(data))
.build();
client.sendAsync(request, BodyHandlers.ofString())
.thenApply(HttpResponse::body)
.thenAccept(System.out::println)
.join();
}
}
Short Link: https://sg.run/zv2d