problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request

Author
2,387
Download Count*
License
Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.
Run Locally
Run in CI
Defintion
rules:
- id: httpurlconnection-http-request
message: Detected an HTTP request sent via HttpURLConnection. This could lead to
sensitive information being sent over an insecure channel. Instead, it is
recommended to send requests over HTTPS.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html
- https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
fix-regex:
regex: "[Hh][Tt][Tt][Pp]://"
replacement: https://
count: 1
patterns:
- pattern: |
"=~/[Hh][Tt][Tt][Pp]://.*/"
- pattern-either:
- pattern-inside: |
URL $URL = new URL ("=~/[Hh][Tt][Tt][Pp]://.*/", ...);
...
$CON = (HttpURLConnection) $URL.openConnection(...);
...
$CON.$FUNC(...);
- pattern-inside: |
URL $URL = new URL ("=~/[Hh][Tt][Tt][Pp]://.*/", ...);
...
$CON = $URL.openConnection(...);
...
$CON.$FUNC(...);
Examples
httpurlconnection-http-request.java
class Bad {
private static void sendbad1() throws IOException {
// ruleid: httpurlconnection-http-request
URL obj = new URL("http://example.com");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
private static void sendbad2() throws IOException {
String url = "http://example.com";
// ruleid: httpurlconnection-http-request
URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
public static void sendbad3() throws IOException {
String url = "http://example.com";
// ruleid: httpurlconnection-http-request
URL urlObj = new URL(url);
URLConnection urlCon = urlObj.openConnection();
InputStream inputStream = urlCon.getInputStream();
}
public static void sendbad4() throws IOException {
// ruleid: httpurlconnection-http-request
URL urlObj = new URL("http://example.com");
URLConnection urlCon = urlObj.openConnection();
int responseCode = urlCon.getResponseCode();
}
}
public class Ok {
private static void sendok1() throws IOException {
// ok: httpurlconnection-http-request
URL obj = new URL("https://example.com");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
private static void sendok2() throws IOException {
String url = "https://example.com";
// ok: httpurlconnection-http-request
URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("User-Agent", USER_AGENT);
int responseCode = con.getResponseCode();
con.connect();
}
public static void sendok3() throws IOException {
String url = "https://example.com";
// ok: httpurlconnection-http-request
URL urlObj = new URL(url);
URLConnection urlCon = urlObj.openConnection();
InputStream inputStream = urlCon.getInputStream();
}
public static void sendok4() throws IOException {
// ok: httpurlconnection-http-request
URL urlObj = new URL("https://example.com");
URLConnection urlCon = urlObj.openConnection();
int responseCode = urlCon.getResponseCode();
}
}
Short Link: https://sg.run/px3Z