python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http
semgrepAuthor
7,311
Download Count*
License
Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.
Run Locally
Run in CI
Defintion
rules:
- id: request-session-with-http
options:
symbolic_propagation: true
mode: taint
pattern-sources:
- patterns:
- pattern: |
"$URL"
- metavariable-pattern:
metavariable: $URL
language: regex
patterns:
- pattern-regex: http://
- pattern-not-regex: .*://localhost
- pattern-not-regex: .*://127\.0\.0\.1
pattern-sinks:
- patterns:
- pattern-either:
- pattern: requests.Session(...).$W($SINK, ...)
- pattern: requests.Session(...).request($METHOD, $SINK, ...)
- focus-metavariable: $SINK
fix-regex:
regex: "[Hh][Tt][Tt][Pp]://"
replacement: https://
count: 1
message: Detected a request using 'http://'. This request will be unencrypted.
Use 'https://' instead.
languages:
- python
severity: INFO
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
asvs:
section: V9 Communications Verification Requirements
control_id: 9.1.1 Weak TLS
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
version: "4"
category: security
technology:
- requests
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
Examples
request-session-with-http.py
import requests
def test1():
session = requests.Session()
# ruleid: request-session-with-http
session.get("http://example.com")
def test1_ok():
session = requests.Session()
# ok: request-session-with-http
session.get("https://example.com")
def test2():
session = requests.Session()
url = "http://example.com"
# ruleid: request-session-with-http
session.post(url)
def test2_ok():
session = requests.Session()
# ok: request-session-with-http
url = "https://example.com"
session.post(url)
def test3(url = "http://example.com"):
session = requests.Session()
# ruleid: request-session-with-http
session.delete(url)
def test3_ok(url = "https://example.com"):
session = requests.Session()
# ok: request-session-with-http
session.delete(url)
def test4(url = "http://example.com"):
session = requests.Session()
# ruleid: request-session-with-http
session.request("HEAD", url, timeout=30)
def test4_ok(url = "https://example.com"):
session = requests.Session()
# ok: request-session-with-http
session.request("HEAD", url, timeout=30)
def test_localhost_ok(url = "http://localhost/blah"):
session = requests.Session()
# ok: request-session-with-http
session.request("HEAD", url, timeout=30)
def test_localhost_ok2(url = "http://127.0.0.1/blah"):
session = requests.Session()
# ok: request-session-with-http
session.request("HEAD", url, timeout=30)Short Link: https://sg.run/DoBY