CodeQL documentation
CodeQL resources

Failure to use HTTPS URLs

ID: rust/non-https-url
Kind: path-problem
Security severity: 8.1
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-319
   - external/cwe/cwe-345
Query suites:
   - rust-code-scanning.qls
   - rust-security-extended.qls
   - rust-security-and-quality.qls

Click to see the query in the CodeQL repository

Constructing URLs with the HTTP protocol can lead to insecure connections.

Furthermore, constructing URLs with the HTTP protocol can create problems if other parts of the code expect HTTPS URLs. A typical pattern is to use libraries that expect secure connections, which may fail or fall back to insecure behavior when provided with HTTP URLs instead of HTTPS URLs.

Recommendation

When you construct a URL for network requests, ensure that you use an HTTPS URL rather than an HTTP URL. Then, any connections that are made using that URL are secure TLS connections.

Example

The following examples show two ways of making a network request using a URL. When the request is made using an HTTP URL rather than an HTTPS URL, the connection is unsecured and can be intercepted by attackers:

// BAD: Using HTTP URL which can be intercepted
use reqwest;

fn main() {
    let url = "http://example.com/sensitive-data";
    
    // This makes an insecure HTTP request that can be intercepted
    let response = reqwest::blocking::get(url).unwrap();
    println!("Response: {}", response.text().unwrap());
}

A better approach is to use HTTPS. When the request is made using an HTTPS URL, the connection is a secure TLS connection:

// GOOD: Using HTTPS URL which provides encryption
use reqwest;

fn main() {
    let url = "https://example.com/sensitive-data";
    
    // This makes a secure HTTPS request that is encrypted
    let response = reqwest::blocking::get(url).unwrap();
    println!("Response: {}", response.text().unwrap());
}

References

  • © GitHub, Inc.
  • Terms
  • Privacy