python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls

semgrep

Author

7,311

Download Count*

LGPL Commons Clause

License

The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS' class instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: use-ftp-tls
    pattern: ftplib.FTP(...)
    fix-regex:
      regex: FTP(.*)\)
      replacement: FTP_TLS\1, context=ssl.create_default_context())
    message: The 'FTP' class sends information unencrypted. Consider using the
      'FTP_TLS' class instead.
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS
      category: security
      technology:
        - ftplib
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    severity: WARNING
    languages:
      - python

Examples

use-ftp-tls.py

import ftplib
import ssl

def bad():
    # ruleid: use-ftp-tls
    ftpc = ftplib.FTP("example.com", "user", "pass")

def ok():
    # ok: use-ftp-tls
    ftpc = ftplib.FTP_TLS("example.com", "user", "pass", context=ssl.create_default_context())

Short Link: https://sg.run/AvPp