Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
This rule advises against the use of deprecated HTTP clients in Kotlin. The use of deprecated HTTP clients, such as DefaultHttpClient, can lead to security vulnerabilities in your application because they lack support for modern Transport Layer Security (TLS) versions such as TLS 1.2. This lack of support can expose your application to potential data breaches and other security risks.
This rule enforces the use of secure communication protocols. By ensuring your HTTP client supports modern TLS, you can protect sensitive data transmitted between your application and servers from being intercepted or manipulated.
To adhere to this rule, use HTTP clients that support modern TLS versions, such as SystemDefaultHttpClient. When configuring the client, make sure to use BasicHttpParams to set parameters such as connection timeout. If you’re using the client in a service class, ensure that the client is stored as a class member. By following these practices, you can maintain the security and integrity of your application’s data transmissions.
Non-Compliant Code Examples
// Example 1: Basic DefaultHttpClient usage
funmakeRequest(){// UNSAFE: DefaultHttpClient lacks TLS 1.2 support
valclient=DefaultHttpClient()valrequest=HttpGet("https://api.example.com/data")valresponse=client.execute(request)}// Example 2: DefaultHttpClient with custom parameters
funconfiguredRequest(){// UNSAFE: Even with configuration, still lacks proper TLS support
valparams=BasicHttpParams().apply{setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,3000)}valclient=DefaultHttpClient(params)valresponse=client.execute(HttpPost("https://api.example.com/submit"))}// Example 3: DefaultHttpClient in a service class
classLegacyApiService{// UNSAFE: Storing deprecated client as class member
privatevalhttpClient=DefaultHttpClient()funfetchData():String{valresponse=httpClient.execute(HttpGet("https://api.example.com"))returnEntityUtils.toString(response.entity)}}
Compliant Code Examples
// Example 1: Using SystemDefaultHttpClient
funmakeSecureRequest(){// SAFE: SystemDefaultHttpClient supports modern TLS
valclient=SystemDefaultHttpClient()valrequest=HttpGet("https://api.example.com/data")valresponse=client.execute(request)}// Example 2: Configured SystemDefaultHttpClient
funconfiguredSecureRequest(){valparams=BasicHttpParams().apply{setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,3000)}// SAFE: Properly configured with modern TLS support
valclient=SystemDefaultHttpClient(params)valresponse=client.execute(HttpPost("https://api.example.com/submit"))}// Example 3: Service class with secure client
classModernApiService{// SAFE: Using TLS 1.2 capable client
privatevalhttpClient=SystemDefaultHttpClient()funfetchData():String{valresponse=httpClient.execute(HttpGet("https://api.example.com"))returnEntityUtils.toString(response.entity)}}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines