Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-378

Rule S5332: Clear-text protocols should not be used

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.14.1
    • Fix Version/s: 1.15
    • Component/s: Rules
    • Labels:
      None

      Description

      Url scheme in string literal

      Highlight literal string starting with:

      • http://
      • ftp://
      • telnet://

      Matching is case insensitive.
      Exception: the url domain component is a loopback address.

      Sensitive Code Example

      url = "http://" # Sensitive
      url = "http://exemple.com" # Sensitive
      url = "http://0001::1" # Sensitive
      url = "http://dead:beef::1" # Sensitive
      url = "http://::dead:beef:1" # Sensitive
      url = "http://192.168.0.1" # Sensitive
      url = "http://10.1.1.123" # Sensitive
      url = "http://subdomain.exemple.com" # Sensitive
      
      url = "ftp://" # Noncompliant
      url = "ftp://anonymous@exemple.com" # Sensitive
      url = "telnet://" # Noncompliant
      url = "telnet://anonymous@exemple.com" # Sensitive
      
      # Argument default value
      def download(url='http://exemple.com'): # Sensitive
          print(url)
      

      Compliant Solution

      # Non sensitive url scheme
      url = "https://" # Compliant
      url = "sftp://" # Compliant
      url = "ftps://" # Compliant
      url = "scp://" # Compliant
      url = "ssh://" # Compliant
      
      # Only report string staring with the sensitive url scheme
      doc = "See http://exemple.com" # Compliant
      doc = "See ftp://exemple.com" # Compliant
      doc = "See telnet://exemple.com" # Compliant
      
      # The url domain component is a loopback address.
      url = "http://localhost" # Compliant
      url = "http://127.0.0.1" # Compliant
      url = "http://::1" # Compliant
      url = "ftp://user@localhost" # Compliant
      
      # Argument default value
      def download(url='ssh://exemple.com'): # Compliant
          print(url)
      

      Use of sensitive python modules

      Sensitive Code Example

      Report any use of the telnetlib.Telnet class

      import telnetlib
      from telnetlib import Telnet
      
      cnx = telnetlib.Telnet("towel.blinkenlights.nl") # Sensitive
      cnx = Telnet("towel.blinkenlights.nl") # Sensitive
      

      Report any use of ftplib.FTP class

      import ftplib
      from ftplib import FTP
      
      cnx = ftplib.FTP("194.244.111.175") # Sensitive
      cnx = FTP("194.244.111.175") # Sensitive
      

      Compliant Solution

      Use of ftplib.FTP_TLS class should not be reported

      import ftplib
      from ftplib import FTP_TLS
      
      cnx = ftplib.FTP_TLS("secure.example.com") # Compliant
      cnx = FTP_TLS("secure.example.com") # Compliant
      

      More code samples

      https://github.com/SonarSource/security-expected-issues/tree/master/python/rules/vulnerabilities/RSPEC-5332%20Clear-text%20protocols%20should%20not%20be%20used

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nicolas.peru Nicolas Peru
                Reporter:
                pierre-loup.tristant Pierre-Loup Tristant
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: