semgrep-rules icon indicating copy to clipboard operation
semgrep-rules copied to clipboard

Published 20 hours ago verified publisher icon semgrep

python/lang/security/audit/insecure-transport/requests/request-with-http.yaml does not filter localhost URLs

Open clintgibler opened this issue 2 years ago • 1 comments

Describe the bug If the URL is http://localhost:whatever, that's probably intentional and not something we should flag.

To Reproduce Sample code to reproduce this behavior.

https://github.com/returntocorp/semgrep-rules/blob/6eeb0afc178867ecdb3f9cc208d50b9014b8b01f/python/lang/security/audit/insecure-transport/requests/request-with-http.yaml

Expected behavior Any http URL that is localhost is ignored.

Priority How important is this to you?

  • [ ] P0: blocking me from making progress
  • [ ] P1: this will block me in the near future
  • [X] P2: annoying but not blocking me

Additional Context This came up when reviewing results with a potential customer.

clintgibler avatar Oct 10 '22 22:10 clintgibler

Blocked on https://github.com/returntocorp/semgrep/issues/6299

minusworld avatar Oct 12 '22 21:10 minusworld