python.lang.security.audit.httpsconnection-detected.httpsconnection-detected
Community Favorite
semgrep
Author
48,169
Download Count*
License
The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.
Run Locally
Run in CI
Defintion
rules:
- id: httpsconnection-detected
message: The HTTPSConnection API has changed frequently with minor releases of
Python. Ensure you are using the API for your version of Python securely.
For example, Python 3 versions prior to 3.4.3 will not verify SSL
certificates by default. See
https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
for more information.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
cwe:
- "CWE-295: Improper Certificate Validation"
references:
- https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
category: security
technology:
- python
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
severity: WARNING
languages:
- python
pattern-either:
- pattern: httplib.HTTPSConnection(...)
- pattern: http.client.HTTPSConnection(...)
- pattern: six.moves.http_client.HTTPSConnection(...)
Examples
httpsconnection-detected.py
# cf. https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/examples/httplib_https.py
import httplib
# ruleid:httpsconnection-detected
c = httplib.HTTPSConnection("example.com")
import http.client
# ruleid:httpsconnection-detected
c = http.client.HTTPSConnection("example.com")
import six
# ruleid:httpsconnection-detected
six.moves.http_client.HTTPSConnection("example.com")
# ok:httpsconnection-detected
raise http.client.HTTPException
Short Link: https://sg.run/8yby