python.lang.security.audit.ftplib.ftplib

Community Favorite
profile photo of semgrepsemgrep
Author
48,169
Download Count*
LGPL Commons Clause
License

FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ftplib
    pattern: ftplib.$ANYTHING(...)
    message: FTP does not encrypt communications by default. This can lead to
      sensitive data being exposed. Ensure use of FTP here does not expose
      sensitive data.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L265
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      bandit-code: B321
      references:
        - https://docs.python.org/3/library/telnetlib.html
      category: security
      technology:
        - ftplib
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    severity: WARNING
    languages:
      - python

Examples

ftplib.py

# cf. https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/examples/ftplib.py

from ftplib import FTP

# ruleid:ftplib
ftp = FTP('ftp.debian.org')
ftp.login()

ftp.cwd('debian')
ftp.retrlines('LIST')

ftp.quit()