python.lang.security.audit.httpsconnection-detected.httpsconnection-detected

Community Favorite
profile photo of semgrepsemgrep
Author
48,169
Download Count*

The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.

Run Locally

Run in CI

Defintion

rules:
  - id: httpsconnection-detected
    message: The HTTPSConnection API has changed frequently with minor releases of
      Python. Ensure you are using the API for your version of Python securely.
      For example, Python 3 versions prior to 3.4.3 will not verify SSL
      certificates by default. See
      https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
      for more information.
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-295: Improper Certificate Validation"
      references:
        - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
      category: security
      technology:
        - python
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    severity: WARNING
    languages:
      - python
    pattern-either:
      - pattern: httplib.HTTPSConnection(...)
      - pattern: http.client.HTTPSConnection(...)
      - pattern: six.moves.http_client.HTTPSConnection(...)

Examples

httpsconnection-detected.py

# cf. https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/examples/httplib_https.py

import httplib
# ruleid:httpsconnection-detected
c = httplib.HTTPSConnection("example.com")

import http.client
# ruleid:httpsconnection-detected
c = http.client.HTTPSConnection("example.com")

import six
# ruleid:httpsconnection-detected
six.moves.http_client.HTTPSConnection("example.com")

# ok:httpsconnection-detected
raise http.client.HTTPException