problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request

Author
2,387
Download Count*
License
Checks for requests sent via HttpURLConnection and URLObj to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.
Run Locally
Run in CI
Defintion
rules:
- id: httpurlconnection-http-request
message: Checks for requests sent via HttpURLConnection and URLObj to http://
URLS. This is dangerous because the server is attempting to connect to a
website that does not encrypt traffic with TLS. Instead, send requests
only to https:// URLS.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html
- https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- java
fix-regex:
regex: "[Hh][Tt][Tt][Pp]://"
replacement: https://
count: 1
pattern-either:
- pattern: |
URL $URL = new URL ("=~/[Hh][Tt][Tt][Pp]://.*/", ...);
...
$CON = (HttpURLConnection) $URL.openConnection(...);
...
$CON.$FUNC(...);
- pattern: |
URL $URL = new URL ("=~/[Hh][Tt][Tt][Pp]://.*/", ...);
...
$CON = $URL.openConnection(...);
...
$CON.$FUNC(...);
Examples
httpurlconnection-http-request.java
class Bad {
private static void sendbad1() throws IOException {
// ruleid: httpurlconnection-http-request
URL obj = new URL("http://example.com");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
private static void sendbad2() throws IOException {
String url = "http://example.com";
// ruleid: httpurlconnection-http-request
URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
public static void sendbad3() throws IOException {
String url = "http://example.com";
// ruleid: httpurlconnection-http-request
URL urlObj = new URL(url);
URLConnection urlCon = urlObj.openConnection();
InputStream inputStream = urlCon.getInputStream();
}
public static void sendbad4() throws IOException {
// ruleid: httpurlconnection-http-request
URL urlObj = new URL("http://example.com");
URLConnection urlCon = urlObj.openConnection();
int responseCode = urlCon.getResponseCode();
}
}
public class Ok {
private static void sendok1() throws IOException {
// ok: httpurlconnection-http-request
URL obj = new URL("https://example.com");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
private static void sendok2() throws IOException {
String url = "https://example.com";
// ok: httpurlconnection-http-request
URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
public static void sendok3() throws IOException {
String url = "https://example.com";
// ok: httpurlconnection-http-request
URL urlObj = new URL(url);
URLConnection urlCon = urlObj.openConnection();
InputStream inputStream = urlCon.getInputStream();
}
public static void sendok4() throws IOException {
// ok: httpurlconnection-http-request
URL urlObj = new URL("https://example.com");
URLConnection urlCon = urlObj.openConnection();
int responseCode = urlCon.getResponseCode();
}
}
Short Link: https://sg.run/px3Z