problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request
semgrepAuthor
6,272
Download Count*
License
Checks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.
Run Locally
Run in CI
Defintion
rules:
- id: net-ftp-request
message: Checks for outgoing connections to ftp servers with the 'net/ftp'
package. FTP does not encrypt traffic, possibly leading to PII being sent
plaintext over the network. Instead, connect via the SFTP protocol.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html
subcategory:
- vuln
technology:
- ruby
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- ruby
pattern-either:
- pattern: |
$FTP = Net::FTP.new('...')
...
$FTP.login
- pattern: |
Net::FTP.open('...') do |ftp|
...
ftp.login
end
Examples
net-ftp-request.rb
def bad1
# ruleid: net-ftp-request
ftp = Net::FTP.new('example.com')
ftp.login
files = ftp.chdir('pub/lang/ruby/contrib')
files = ftp.list('n*')
ftp.getbinaryfile('nif.rb-0.91.gz', 'nif.gz', 1024)
ftp.close
end
def bad2
# ruleid: net-ftp-request
Net::FTP.open('example.com') do |ftp|
ftp.login
files = ftp.chdir('pub/lang/ruby/contrib')
files = ftp.list('n*')
ftp.getbinaryfile('nif.rb-0.91.gz', 'nif.gz', 1024)
end
end
Short Link: https://sg.run/eLQ8