problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: httpget-http-request
    message: Detected an HTTP request sent via HttpGet. This could lead to sensitive
      information being sent  over an insecure channel. Instead, it is
      recommended to send requests over HTTPS.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html
        - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - java
    fix-regex:
      regex: "[Hh][Tt][Tt][Pp]://"
      replacement: https://
      count: 1
    patterns:
      - pattern: |
          "=~/[Hh][Tt][Tt][Pp]://.*/"
      - pattern-inside: |
          $R = new HttpGet("=~/[Hh][Tt][Tt][Pp]://.*/");
          ...
          $CLIENT. ... .execute($R, ...);

Examples

httpget-http-request.java

package Test;

import java.io.*;
import java.net.*;
import java.util.*;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.client.methods.HttpGet;

class Bad {
    private static void sendbad1() throws IOException {
        // ruleid: httpget-http-request
        HttpGet httpGet = new HttpGet("http://example.com");
        HttpClients.createDefault().execute(httpGet);
    }

    private static void sendbad2() throws IOException {
        String url = "http://example.com";
        // ruleid: httpget-http-request
        HttpGet httpGet = new HttpGet(url); 
        HttpClients.createDefault().execute(httpGet);
    }
}

public class Ok {
    private static void sendok1() throws IOException {
        // ok: httpget-http-request
        HttpGet httpGet = new HttpGet("https://example.com");
        HttpClients.createDefault().execute(httpGet);
    }

    private static void sendok2() throws IOException {
        String url = "https://example.com";
        // ok: httpget-http-request
        HttpGet httpGet = new HttpGet(url); 
        HttpClients.createDefault().execute(httpGet);
    }
}