trailofbits.yaml.ansible.get-url-unencrypted-url.get-url-unencrypted-url
trailofbits
Author
unknown
Download Count*
License
Found file download with unencrypted URL (e.g. HTTP, FTP, etc.)
Run Locally
Run in CI
Defintion
rules:
- id: get-url-unencrypted-url
message: Found file download with unencrypted URL (e.g. HTTP, FTP, etc.)
languages:
- yaml
severity: WARNING
metadata:
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
subcategory:
- audit
technology:
- ansible
confidence: HIGH
likelihood: HIGH
impact: HIGH
references:
- https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-url
- https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_get_url_module.html#parameter-url
license: AGPL-3.0 license
vulnerability_class:
- Mishandled Sensitive Information
patterns:
- pattern-inside: |
$GETURL:
...
- pattern-not-inside: |
$GETURL:
...
checksum: ...
...
- metavariable-pattern:
metavariable: $GETURL
pattern-either:
- pattern: get_url
- pattern: win_get_url
- pattern: ansible.builtin.get_url
- pattern: ansible.windows.win_get_url
- pattern: "$KEY: '$VALUE'"
- metavariable-pattern:
metavariable: $KEY
pattern-either:
- pattern: url
- metavariable-regex:
metavariable: $VALUE
regex: (?i)^(http|ftp)://.*
Examples
get-url-unencrypted-url.test.yaml
---
- name: Semgrep tests
hosts: all
tasks:
- name: Positive test
ansible.builtin.get_url:
# ruleid: get-url-unencrypted-url
url: http://example.com/file.txt
dest: /etc/file.txt
- name: Positive test
ansible.windows.win_get_url:
# ruleid: get-url-unencrypted-url
url: http://example.com/file.txt
dest: C:\Users\ExampleUser\file.txt
- name: Negative test
ansible.builtin.get_url:
# ok: get-url-unencrypted-url
url: https://example.com/file.txt
dest: /etc/file.txt
- name: Negative test
ansible.windows.win_get_url:
# ok: get-url-unencrypted-url
url: https://example.com/file.txt
dest: C:\Users\ExampleUser\file.txt
- name: Negative test
ansible.builtin.get_url:
# ok: get-url-unencrypted-url
url: http://example.com/file.txt
validate_certs: false
dest: /etc/file.txt
checksum: sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
- name: Negative test
ansible.windows.win_get_url:
# ok: get-url-unencrypted-url
url: http://example.com/file.txt
validate_certs: false
dest: C:\Users\ExampleUser\file.txt
checksum: sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Short Link: https://sg.run/x8LKj