Prevent use of http protocol

Metadata

ID: ruby-security/no-http

Language: Ruby

Severity: Info

Category: Security

CWE: 319

Description

This rule is designed to prevent the use of the insecure HTTP protocol in your Ruby code. The HTTP protocol does not encrypt the data that is sent between the client and the server, which can lead to sensitive information being intercepted by malicious parties. This is particularly risky when dealing with sensitive data such as API keys, user credentials, or personal user information.

The importance of this rule lies in the security and integrity of your application. By using an unsecured protocol like HTTP, you expose your application and its users to potential data breaches. A breach can lead to loss of trust, legal liability, and significant remediation costs.

To avoid violating this rule, always use the HTTPS protocol when making network requests. HTTPS encrypts the data sent between the client and server, protecting it from interception. By using libraries like Faraday, HTTPX, HTTParty, RestClient, or Ruby’s built-in Net::HTTP, you can specify HTTPS by simply replacing ‘http://’ with ‘https://’. For example, instead of HTTP.get("http://example.org"), use HTTP.get("https://example.org"). Always ensure that any third-party services your application interacts with support HTTPS.

Non-Compliant Code Examples

require "faraday"
require 'uri'

params = {title: "foo", body: "bar", userID: 1}
encoded_params = URI.encode_www_form(params)
response = Faraday.post("http://example.org", encoded_params)
p response.body if response.status == 201
require "httpx"

response = HTTPX.get("http://www.example.org")
puts response.body if response.status == 200
require "http"

response = HTTP.get("http://example.org", :params => {:api_key => "API_KEY"})
response = HTTP.post("http://example.org", :form => something)
require 'httparty'

response = HTTParty.get('http://example.org')
puts response.body if response.code == 200

response = HTTParty.get('http://example.com', format: :plain)
RestClient.post "http://example.com", {'x' => 1}.to_json, {content_type: :json, accept: :json}
require 'uri'
require 'net/http'

uri = URI('http://example.org')
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes