python.lang.security.audit.network.http-not-https-connection.http-not-https-connection

Community Favorite
profile photo of semgrepsemgrep
Author
71,857
Download Count*
LGPL Commons Clause
License

Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: http-not-https-connection
    message: Detected HTTPConnectionPool. This will transmit data in cleartext. It
      is recommended to use HTTPSConnectionPool instead for to encrypt
      communications.
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      references:
        - https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool
      category: security
      technology:
        - python
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - python
    severity: ERROR
    pattern-either:
      - pattern: urllib3.HTTPConnectionPool(...)
      - pattern: urllib3.connectionpool.HTTPConnectionPool(...)

Examples

http-not-https-connection.py

import urllib3 as ur3

# ruleid:http-not-https-connection
pool = ur3.connectionpool.HTTPConnectionPool("example.com")

# ok:http-not-https-connection
spool = ur3.connectionpool.HTTPSConnectionPool("example.com")