problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request

profile photo of semgrepsemgrep
Author
6,272
Download Count*

Checks for requests to http and ftp (unencrypted) sites using OpenURI.

Run Locally

Run in CI

Defintion

rules:
  - id: openuri-request
    message: Checks for requests to http and ftp (unencrypted) sites using OpenURI.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html
      subcategory:
        - vuln
      technology:
        - open-uri
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - ruby
    pattern-either:
      - pattern: |
          URI.open('=~/[hH][tT][tT][pP]://.*/', ...)
      - pattern: |
          $URI = URI.parse('=~/[hH][tT][tT][pP]://.*/', ...)
          ...
          $URI.open
      - pattern: |
          URI.open('=~/^[fF][tT][pP]://.*/', ...)
      - pattern: |
          $URI = URI.parse('=~/^[fF][tT][pP]://.*/', ...)
          ...
          $URI.open

Examples

openuri-request.rb

require 'openuri'

def bad1
  # ruleid: openuri-request
  URI.open("http://www.ruby-lang.org/en") {|f|
    f.each_line {|line| p line}
    p f.base_uri         # <URI::HTTP:0x40e6ef2 URL:http://www.ruby-lang.org/en/>
    p f.content_type     # "text/html"
    p f.charset          # "iso-8859-1"
    p f.content_encoding # []
    p f.last_modified    # Thu Dec 05 02:45:02 UTC 2002
  }
end

def bad2
  # ruleid: openuri-request
  uri = URI.parse("http://www.ruby-lang.org/en/")
  uri.open {|f|
    # ...
  }
end

def bad3
  # ruleid: openuri-request
  URI.open("ftp://www.ruby-lang.org/en") {|f|
    # stuff
  }
end

def bad4
  # ruleid: openuri-request
  uri = URI.parse("ftp://www.ruby-lang.org/en/")
  uri.open {|f|
    # ...
  }
end

def ok1
  # ok: openuri-request
  URI.open("https://www.ruby-lang.org/en") {|f|
    f.each_line {|line| p line}
    p f.base_uri         # <URI::HTTP:0x40e6ef2 URL:http://www.ruby-lang.org/en/>
    p f.content_type     # "text/html"
    p f.charset          # "iso-8859-1"
    p f.content_encoding # []
    p f.last_modified    # Thu Dec 05 02:45:02 UTC 2002
  }
end

def ok2
  # ok: openuri-request
  uri = URI.parse("https://www.ruby-lang.org/en/")
  uri.open {|f|
    # ...
  }
end

def ok3
  # ok: openuri-request
  URI.open("sftp://www.ruby-lang.org/en") {|f|
    # stuff
  }
end

def ok4
  # ok: openuri-request
  uri = URI.parse("sftp://www.ruby-lang.org/en/")
  uri.open {|f|
    # ...
  }
end