python.lang.security.audit.network.http-not-https-connection.http-not-https-connection
Community Favorite
semgrep
Author
71,857
Download Count*
License
Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.
Run Locally
Run in CI
Defintion
rules:
- id: http-not-https-connection
message: Detected HTTPConnectionPool. This will transmit data in cleartext. It
is recommended to use HTTPSConnectionPool instead for to encrypt
communications.
metadata:
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
references:
- https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool
category: security
technology:
- python
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- python
severity: ERROR
pattern-either:
- pattern: urllib3.HTTPConnectionPool(...)
- pattern: urllib3.connectionpool.HTTPConnectionPool(...)
Examples
http-not-https-connection.py
import urllib3 as ur3
# ruleid:http-not-https-connection
pool = ur3.connectionpool.HTTPConnectionPool("example.com")
# ok:http-not-https-connection
spool = ur3.connectionpool.HTTPSConnectionPool("example.com")
Short Link: https://sg.run/N4Np