problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server

profile photo of semgrepsemgrep
Author
2,021
Download Count*
LGPL Commons Clause
License

Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: using-http-server
    message: Checks for any usage of http servers instead of https servers.
      Encourages the usage of https protocol instead of http, which does not
      have TLS and is therefore unencrypted. Using http can lead to
      man-in-the-middle attacks in which the attacker is able to read sensitive
      information.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A02:2021 - Cryptographic Failures
        - A03:2017 - Sensitive Data Exposure
      references:
        - https://nodejs.org/api/http.html#http_class_http_agent
        - https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY
      subcategory:
        - audit
      technology:
        - node.js
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - javascript
    patterns:
      - pattern-inside: |
          $HTTP = require('http');
          ...
      - pattern-either:
          - pattern: |
              $HTTP.$FUNC(...);
          - pattern: |
              new $HTTP.$FUNC2(...);
      - pattern: $HTTP

Examples

using-http-server.js

var fs = require('fs');
var http = require('http');
var https = require('https');
var privateKey  = fs.readFileSync('sslcert/server.key', 'utf8');
var certificate = fs.readFileSync('sslcert/server.crt', 'utf8');

var credentials = {key: privateKey, cert: certificate};
var express = require('express');
var app = express();

// ruleid: using-http-server
var httpServer = http.createServer(app);
httpServer.listen(8080);

const http = require('http');
// ruleid: using-http-server
const keepAliveAgent = new http.Agent({ keepAlive: true });
options.agent = keepAliveAgent;
// ruleid: using-http-server
http.request(options, onResponseCallback);

// ok: using-http-server
var httpsServer = https.createServer(app);
httpsServer.listen(8080);

const https = require('https');
// ok: using-http-server
const keepAliveAgent = new https.Agent({ keepAlive: true });
options.agent = keepAliveAgent;
// ok: using-http-server
https.request(options, onResponseCallback);