typescript.react.security.react-insecure-request.react-insecure-request
Community Favorite
semgrepAuthor
33,752
Download Count*
License
Unencrypted request over HTTP detected.
Run Locally
Run in CI
Defintion
rules:
- id: react-insecure-request
message: Unencrypted request over HTTP detected.
metadata:
vulnerability: Insecure Transport
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
references:
- https://www.npmjs.com/package/axios
category: security
technology:
- react
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- typescript
- javascript
severity: ERROR
pattern-either:
- patterns:
- pattern-either:
- pattern-inside: |
import $AXIOS from 'axios';
...
$AXIOS.$METHOD(...)
- pattern-inside: |
$AXIOS = require('axios');
...
$AXIOS.$METHOD(...)
- pattern-either:
- pattern: $AXIOS.get("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- pattern: $AXIOS.post("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- pattern: $AXIOS.delete("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- pattern: $AXIOS.head("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- pattern: $AXIOS.patch("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- pattern: $AXIOS.put("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- pattern: $AXIOS.options("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...)
- patterns:
- pattern-either:
- pattern-inside: |
import $AXIOS from 'axios';
...
$AXIOS(...)
- pattern-inside: |
$AXIOS = require('axios');
...
$AXIOS(...)
- pattern-either:
- pattern: '$AXIOS({url: "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"}, ...)'
- pattern: |
$OPTS = {url: "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"}
...
$AXIOS($OPTS, ...)
- pattern: fetch("=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...)
Examples
react-insecure-request.jsx
import axios from 'axios';
// ruleid: react-insecure-request
fetch('http://www.example.com', 'GET', {})
let addr = "http://www.example.com"
// ruleid: react-insecure-request
fetch(addr, 'POST', {})
// ruleid: react-insecure-request
axios.get('http://www.example.com');
// ruleid: react-insecure-request
const options = {
method: 'POST',
headers: { 'content-type': 'application/x-www-form-urlencoded' },
data: qs.stringify(data),
url: 'http://www.example.com',
};
axios(options);
// ruleid: react-insecure-request
axios({ method: 'POST', url: 'http://www.example.com' });
// ok: react-insecure-request
fetch('https://www.example.com', 'GET', {})
// ok: react-insecure-request
axios.get('https://www.example.com');
// ok: react-insecure-request
const options = {
method: 'POST',
url: 'https://www.example.com',
};
axios(options);
react-insecure-request.tsx
import axios from 'axios';
// ruleid: react-insecure-request
fetch('http://www.example.com', 'GET', {})
let addr = "http://www.example.com"
// ruleid: react-insecure-request
fetch(addr, 'POST', {})
// ruleid: react-insecure-request
axios.get('http://www.example.com');
// ruleid: react-insecure-request
const options = {
method: 'POST',
headers: { 'content-type': 'application/x-www-form-urlencoded' },
data: qs.stringify(data),
url: 'http://www.example.com',
};
axios(options);
// ruleid: react-insecure-request
axios({ method: 'POST', url: 'http://www.example.com' });
// ok: react-insecure-request
fetch('https://www.example.com', 'GET', {})
// ok: react-insecure-request
axios.get('https://www.example.com');
// ok: react-insecure-request
const options = {
method: 'POST',
url: 'https://www.example.com',
};
axios(options);
Short Link: https://sg.run/1n0b