python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp
semgrep
Author
7,311
Download Count*
License
Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-request-object-ftp
message: Detected a 'urllib.request.Request()' object using an insecure
transport protocol, 'ftp://'. This connection will not be encrypted.
Consider using SFTP instead. urllib does not support SFTP natively, so
consider using a library which supports SFTP.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
references:
- https://docs.python.org/3/library/urllib.request.html#urllib.request.Request
category: security
technology:
- urllib
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
severity: WARNING
languages:
- python
pattern-either:
- pattern: urllib.request.Request("=~/^[Ff][Tt][Pp]://.*/", ...)
- pattern: |
$URL = "=~/^[Ff][Tt][Pp]://.*/"
...
urllib.request.Request($URL, ...)
- pattern: |-
def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
...
urllib.request.Request($URL, ...)
Examples
insecure-request-object-ftp.py
from urllib.request import Request
def test1():
# ruleid: insecure-request-object-ftp
Request("ftp://example.com")
def test1_ok():
# ok: insecure-request-object-ftp
Request("sftp://example.com")
def test2():
# ruleid: insecure-request-object-ftp
url = "ftp://example.com"
# ruleid: insecure-request-object-ftp
Request(url)
def test2_ok():
# ok: insecure-request-object-ftp
url = "sftp://example.com"
Request(url)
# ruleid: insecure-request-object-ftp
def test3(url = "ftp://example.com"):
Request(url)
# ok: insecure-request-object-ftp
def test3_ok(url = "sftp://example.com"):
Request(url)
Short Link: https://sg.run/l2Py