problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request
semgrep
Author
2,021
Download Count*
License
Checks for lack of usage of the "secure: true" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as "implicit" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.
Run Locally
Run in CI
Defintion
rules:
- id: ftp-request
message: 'Checks for lack of usage of the "secure: true" option when sending ftp
requests through the nodejs ftp module. This leads to unencrypted traffic
being sent to the ftp server. There are other options such as "implicit"
that still does not encrypt all traffic. ftp is the most utilized npm ftp
module.'
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://www.npmjs.com/package/ftp
- https://openbase.io/js/ftp
subcategory:
- vuln
technology:
- node.js
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- javascript
- typescript
patterns:
- pattern-inside: |
$X = require('ftp');
...
$C = new $X();
...
- pattern-not-inside: |
$OPTIONS = {secure: true};
...
- pattern: |
$C.connect($OPTIONS,...);
- pattern-not: |
$C.connect({...,secure: true});
Examples
ftp-request.js
var Client = require('ftp');
function bad_ftp1() {
let c = new Client();
// ruleid: ftp-request
c.connect({
host: ftpInfo.host,
port: ftpInfo.port,
user: ftpInfo.user,
password: ftpInfo.password,
secure: false
});
}
var Client = require('ftp');
function bad_ftp2() {
let c = new Client();
// ruleid: ftp-request
c.connect({
host: ftpInfo.host,
port: ftpInfo.port,
user: ftpInfo.user,
password: ftpInfo.password,
secure: implicit
});
}
var Client = require('ftp');
function ok_ftp1() {
let c = new Client();
//ok: ftp-request
var options = {
host: ftpInfo.host,
port: ftpInfo.port,
user: ftpInfo.user,
password: ftpInfo.password,
secure: true
}
c.connect(options);
}
var Client = require('ftp');
function ok_ftp2() {
let c = new Client();
//ok: ftp-request
var options = {
host: ftpInfo.host,
port: ftpInfo.port,
user: ftpInfo.user,
password: ftpInfo.password,
secure: true
}
c.connect(options);
}
Short Link: https://sg.run/b7QW