trailofbits.generic.curl-unencrypted-url.curl-unencrypted-url
trailofbits
Author
unknown
Download Count*
License
Found curl
command with unencrypted URL (e.g. HTTP, FTP, etc.)
Run Locally
Run in CI
Defintion
rules:
- id: curl-unencrypted-url
message: Found `curl` command with unencrypted URL (e.g. HTTP, FTP, etc.)
languages:
- generic
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- shell
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
references:
- https://curl.se/docs/manpage.html
license: AGPL-3.0 license
vulnerability_class:
- Mishandled Sensitive Information
patterns:
- pattern-either:
- pattern: curl ... http://
- pattern: curl ... ftp://
- pattern-not-inside: curl ... http://127.0.0.1
- pattern-not-inside: curl ... http://localhost
Examples
curl-unencrypted-url.sh
#!/bin/bash
# ruleid: curl-unencrypted-url
curl http://google.com > /dev/null
# ruleid: curl-unencrypted-url
curl ftp://google.com > /dev/null
# ok: curl-unencrypted-url
curl https://google.com > /dev/null
# ok: curl-unencrypted-url
curl http://localhost > /dev/null
# ok: curl-unencrypted-url
curl http://127.0.0.1 > /dev/null
Short Link: https://sg.run/6JldW