trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url

trailofbits

Author

unknown

Download Count*

CC BY-NC-SA 4.0

License

Found wget command with unencrypted URL (e.g. HTTP, FTP, etc.)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: wget-unencrypted-url
    message: Found `wget` command  with unencrypted URL (e.g. HTTP, FTP, etc.)
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://linux.die.net/man/1/wget
      license: AGPL-3.0 license
      vulnerability_class:
        - Mishandled Sensitive Information
    pattern-either:
      - pattern: wget ... http://
      - pattern: wget ... ftp://

Examples

wget-unencrypted-url.sh

#!/bin/bash

# ruleid: wget-unencrypted-url
wget http://google.com

# ruleid: wget-unencrypted-url
wget ftp://google.com

# ok: wget-unencrypted-url
wget https://google.com

Short Link: https://sg.run/10Ddk