python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls
semgrep
Author
7,311
Download Count*
License
The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS' class instead.
Run Locally
Run in CI
Defintion
rules:
- id: use-ftp-tls
pattern: ftplib.FTP(...)
fix-regex:
regex: FTP(.*)\)
replacement: FTP_TLS\1, context=ssl.create_default_context())
message: The 'FTP' class sends information unencrypted. Consider using the
'FTP_TLS' class instead.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
references:
- https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS
category: security
technology:
- ftplib
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
severity: WARNING
languages:
- python
Examples
use-ftp-tls.py
import ftplib
import ssl
def bad():
# ruleid: use-ftp-tls
ftpc = ftplib.FTP("example.com", "user", "pass")
def ok():
# ok: use-ftp-tls
ftpc = ftplib.FTP_TLS("example.com", "user", "pass", context=ssl.create_default_context())
Short Link: https://sg.run/AvPp