problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request
semgrep
Author
unknown
Download Count*
License
Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.
Run Locally
Run in CI
Defintion
rules:
- id: httpget-http-request
message: Detected an HTTP request sent via HttpGet. This could lead to sensitive
information being sent over an insecure channel. Instead, it is
recommended to send requests over HTTPS.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html
- https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
fix-regex:
regex: "[Hh][Tt][Tt][Pp]://"
replacement: https://
count: 1
patterns:
- pattern: |
"=~/[Hh][Tt][Tt][Pp]://.*/"
- pattern-inside: |
$R = new HttpGet("=~/[Hh][Tt][Tt][Pp]://.*/");
...
$CLIENT. ... .execute($R, ...);
Examples
httpget-http-request.java
package Test;
import java.io.*;
import java.net.*;
import java.util.*;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.client.methods.HttpGet;
class Bad {
private static void sendbad1() throws IOException {
// ruleid: httpget-http-request
HttpGet httpGet = new HttpGet("http://example.com");
HttpClients.createDefault().execute(httpGet);
}
private static void sendbad2() throws IOException {
String url = "http://example.com";
// ruleid: httpget-http-request
HttpGet httpGet = new HttpGet(url);
HttpClients.createDefault().execute(httpGet);
}
}
public class Ok {
private static void sendok1() throws IOException {
// ok: httpget-http-request
HttpGet httpGet = new HttpGet("https://example.com");
HttpClients.createDefault().execute(httpGet);
}
private static void sendok2() throws IOException {
String url = "https://example.com";
// ok: httpget-http-request
HttpGet httpGet = new HttpGet(url);
HttpClients.createDefault().execute(httpGet);
}
}
Short Link: https://sg.run/QE2q