problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request

profile photo of returntocorpreturntocorp
Author
2,021
Download Count*

Checks for lack of usage of the "secure: true" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as "implicit" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.

Run Locally

Run in CI

Defintion

rules:
  - id: ftp-request
    message: 'Checks for lack of usage of the "secure: true" option when sending ftp
      requests through the nodejs ftp module. This leads to unencrypted traffic
      being sent to the ftp server. There are other options such as "implicit"
      that still does not encrypt all traffic. ftp is the most utilized npm ftp
      module.'
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://www.npmjs.com/package/ftp
        - https://openbase.io/js/ftp
      subcategory:
        - vuln
      technology:
        - node.js
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    patterns:
      - pattern-inside: |
          $X = require('ftp');
          ...
          $C = new $X();
          ...
      - pattern-not-inside: |
          $OPTIONS = {secure: true};
          ...
      - pattern: |
          $C.connect($OPTIONS,...);
      - pattern-not: |
          $C.connect({...,secure: true});

Examples

ftp-request.js

var Client = require('ftp');
function bad_ftp1() {
    let c = new Client();
    // ruleid: ftp-request
    c.connect({
        host: ftpInfo.host,
        port: ftpInfo.port,
        user: ftpInfo.user,
        password: ftpInfo.password,
        secure: false
        });
}

var Client = require('ftp');
function bad_ftp2() {
    let c = new Client();
    // ruleid: ftp-request
    c.connect({
        host: ftpInfo.host,
        port: ftpInfo.port,
        user: ftpInfo.user,
        password: ftpInfo.password,
        secure: implicit
        });
}

var Client = require('ftp');
function ok_ftp1() {
    let c = new Client();
    //ok: ftp-request
    var options = {
        host: ftpInfo.host,
        port: ftpInfo.port,
        user: ftpInfo.user,
        password: ftpInfo.password,
        secure: true
    }

    c.connect(options);
}

var Client = require('ftp');
function ok_ftp2() {
    let c = new Client();
    //ok: ftp-request
    var options = {
        host: ftpInfo.host,
        port: ftpInfo.port,
        user: ftpInfo.user,
        password: ftpInfo.password,
        secure: true
    }

    c.connect(options);
}