problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server
semgrep
Author
2,021
Download Count*
License
Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.
Run Locally
Run in CI
Defintion
rules:
- id: using-http-server
message: Checks for any usage of http servers instead of https servers.
Encourages the usage of https protocol instead of http, which does not
have TLS and is therefore unencrypted. Using http can lead to
man-in-the-middle attacks in which the attacker is able to read sensitive
information.
severity: WARNING
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp:
- A02:2021 - Cryptographic Failures
- A03:2017 - Sensitive Data Exposure
references:
- https://nodejs.org/api/http.html#http_class_http_agent
- https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY
subcategory:
- audit
technology:
- node.js
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- javascript
patterns:
- pattern-inside: |
$HTTP = require('http');
...
- pattern-either:
- pattern: |
$HTTP.$FUNC(...);
- pattern: |
new $HTTP.$FUNC2(...);
- pattern: $HTTP
Examples
using-http-server.js
var fs = require('fs');
var http = require('http');
var https = require('https');
var privateKey = fs.readFileSync('sslcert/server.key', 'utf8');
var certificate = fs.readFileSync('sslcert/server.crt', 'utf8');
var credentials = {key: privateKey, cert: certificate};
var express = require('express');
var app = express();
// ruleid: using-http-server
var httpServer = http.createServer(app);
httpServer.listen(8080);
const http = require('http');
// ruleid: using-http-server
const keepAliveAgent = new http.Agent({ keepAlive: true });
options.agent = keepAliveAgent;
// ruleid: using-http-server
http.request(options, onResponseCallback);
// ok: using-http-server
var httpsServer = https.createServer(app);
httpsServer.listen(8080);
const https = require('https');
// ok: using-http-server
const keepAliveAgent = new https.Agent({ keepAlive: true });
options.agent = keepAliveAgent;
// ok: using-http-server
https.request(options, onResponseCallback);
Short Link: https://sg.run/x1zL