problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request
semgrep
Author
6,272
Download Count*
License
Checks for requests to http and ftp (unencrypted) sites using OpenURI.
Run Locally
Run in CI
Defintion
rules:
- id: openuri-request
message: Checks for requests to http and ftp (unencrypted) sites using OpenURI.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html
subcategory:
- vuln
technology:
- open-uri
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- ruby
pattern-either:
- pattern: |
URI.open('=~/[hH][tT][tT][pP]://.*/', ...)
- pattern: |
$URI = URI.parse('=~/[hH][tT][tT][pP]://.*/', ...)
...
$URI.open
- pattern: |
URI.open('=~/^[fF][tT][pP]://.*/', ...)
- pattern: |
$URI = URI.parse('=~/^[fF][tT][pP]://.*/', ...)
...
$URI.open
Examples
openuri-request.rb
require 'openuri'
def bad1
# ruleid: openuri-request
URI.open("http://www.ruby-lang.org/en") {|f|
f.each_line {|line| p line}
p f.base_uri # <URI::HTTP:0x40e6ef2 URL:http://www.ruby-lang.org/en/>
p f.content_type # "text/html"
p f.charset # "iso-8859-1"
p f.content_encoding # []
p f.last_modified # Thu Dec 05 02:45:02 UTC 2002
}
end
def bad2
# ruleid: openuri-request
uri = URI.parse("http://www.ruby-lang.org/en/")
uri.open {|f|
# ...
}
end
def bad3
# ruleid: openuri-request
URI.open("ftp://www.ruby-lang.org/en") {|f|
# stuff
}
end
def bad4
# ruleid: openuri-request
uri = URI.parse("ftp://www.ruby-lang.org/en/")
uri.open {|f|
# ...
}
end
def ok1
# ok: openuri-request
URI.open("https://www.ruby-lang.org/en") {|f|
f.each_line {|line| p line}
p f.base_uri # <URI::HTTP:0x40e6ef2 URL:http://www.ruby-lang.org/en/>
p f.content_type # "text/html"
p f.charset # "iso-8859-1"
p f.content_encoding # []
p f.last_modified # Thu Dec 05 02:45:02 UTC 2002
}
end
def ok2
# ok: openuri-request
uri = URI.parse("https://www.ruby-lang.org/en/")
uri.open {|f|
# ...
}
end
def ok3
# ok: openuri-request
URI.open("sftp://www.ruby-lang.org/en") {|f|
# stuff
}
end
def ok4
# ok: openuri-request
uri = URI.parse("sftp://www.ruby-lang.org/en/")
uri.open {|f|
# ...
}
end
Short Link: https://sg.run/ZvQw