Do not make http calls without encryption

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Do not make http calls without encryption

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: python-security/requests-http

Language: Python

Severity: Warning

Category: Security

CWE: 319

Description

Making a request with http enables attackers to listen to the traffic and obtain sensitive information. Use https:// instead.

Learn More

CWE-319: Cleartext Transmission of Sensitive Information

Non-Compliant Code Examples

def test1():
    url1 = "http://api.tld"
    requests.get(url1)


def test2():
    url2 = "http://api.tld/user/{0}".format(user_id)
    requests.get(url2)

def test3():
    url3 = f"http://api.tld/user/{user_id}"
    requests.get(url3)
    requests.get(url4)

def test1():
    requests.get("http://api.tld")
    requests.get("http://api.tld/user/{0}".format(user_id))
    requests.get(f"http://api.tld/user/{user_id}")

Compliant Code Examples

def download_stuff(identifier, data):
    directory = "/tmp"
    attachments = data.get("attachments", [])

    attachment_url = attachments[0].get("attachment_url", "")

    try:
        response = requests.get(attachment_url, timeout=300)
        response.raise_for_status()
    except requests.exceptions.RequestException:
        return (False, "")

def test1():
    requests.get("https://api.tld")
    requests.get("https://api.tld/user/{0}".format(user_id))
    requests.get(f"https://api.tld/user/{user_id}")
    requests.get(f"http://localhost.tld/user/{user_id}") # localhost and 127.0.0.1 are safe