Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-2585

Rule S5332: Using clear-text protocols is security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.14
    • Component/s: C, C++, Objective-C, Rules
    • Labels:
      None

      Description

      Hard-coded strings

      When a hard-coded string contains a valid URI, raise an issue if the URI scheme is one of the following value:

      • http
      • telnet
      • ftp (see exception in the next section)
      • smtp (see exception in the next section)

      Code examples
      https://github.com/SonarSource/security-expected-issues/tree/master/cc%2B%2B/rules/vulnerabilities/RSPEC-5332/examples.c

      Code examples for default value of an optional parameter
      https://github.com/SonarSource/security-expected-issues/tree/master/cc%2B%2B/rules/vulnerabilities/RSPEC-5332/examples.h

      libcurl

      FTP over TLS and SMTP with STARTTLS

      libcurl supports both FTP and SMTP protocols.
      It has a global option to use TLS for both protocols:

      // If CURLOPT_USE_SSL option is set to CURLUSESSL_ALL FTP transport is done over TLS
      // even if url scheme is ftp://
      CURL *curl1 = curl_easy_init();
      curl_easy_setopt(curl1, CURLOPT_URL, "smtp://example.com:587"); // Compliant
      curl_easy_setopt(curl1, CURLOPT_USE_SSL, CURLUSESSL_ALL);
      

      If the hard-coded URI is used as `curl_easy_setopt` 3rd argument an issue should only be raised if:

      • CURLOPT_USE_SSL is not set
      • CURLOPT_USE_SSL is set to a different value than CURLUSESSL_ALL

      Code examples
      https://github.com/SonarSource/security-expected-issues/blob/master/cc%2B%2B/rules/vulnerabilities/RSPEC-5332/libcurl/examples.cpp

      loop-back addresses

      No issue should be raise if the URI scheme is a clear text protocol but the domain is a loop-back address.

      // The url domain component is a loop-back address.
      char* url1 = "http://localhost"; // Compliant
      char* url2 = "ftp://user@localhost"; // Compliant
      

      Here is the regular expression used to match loop-back addresses in the Python rule:
      https://github.com/SonarSource/sonar-python/blob/816e184f6e4ed484e7c9b14aa226796959c7bdca/python-checks/src/main/java/org/sonar/python/checks/hotspots/ClearTextProtocolsCheck.java#L47

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              geoffray.adde Geoffray Adde
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: