python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp

profile photo of semgrepsemgrep
Author
7,311
Download Count*

Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-request-object-ftp
    message: Detected a 'urllib.request.Request()' object using an insecure
      transport protocol, 'ftp://'. This connection will not be encrypted.
      Consider using SFTP instead. urllib does not support SFTP natively, so
      consider using a library which supports SFTP.
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://docs.python.org/3/library/urllib.request.html#urllib.request.Request
      category: security
      technology:
        - urllib
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    severity: WARNING
    languages:
      - python
    pattern-either:
      - pattern: urllib.request.Request("=~/^[Ff][Tt][Pp]://.*/", ...)
      - pattern: |
          $URL = "=~/^[Ff][Tt][Pp]://.*/"
          ...
          urllib.request.Request($URL, ...)
      - pattern: |-
          def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
            ...
            urllib.request.Request($URL, ...)

Examples

insecure-request-object-ftp.py

from urllib.request import Request

def test1():
    # ruleid: insecure-request-object-ftp
    Request("ftp://example.com")

def test1_ok():
    # ok: insecure-request-object-ftp
    Request("sftp://example.com")

def test2():
    # ruleid: insecure-request-object-ftp
    url = "ftp://example.com"
    # ruleid: insecure-request-object-ftp
    Request(url)

def test2_ok():
    # ok: insecure-request-object-ftp
    url = "sftp://example.com"
    Request(url)

# ruleid: insecure-request-object-ftp
def test3(url = "ftp://example.com"):
    Request(url)

# ok: insecure-request-object-ftp
def test3_ok(url = "sftp://example.com"):
    Request(url)