Avoid using protocols without SSL

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > Règles SAST > Avoid using protocols without SSL

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/avoid-unencrypted-protocols

Language: C#

Severity: Warning

Category: Security

CWE: 319

Description

Using http:// or ftp:// instead of https:// or ftps:// leads to potential cleartext data transmission. Always use safe and secure connections.

Learn More

CWE-319: Cleartext Transmission of Sensitive Information

Non-Compliant Code Examples

using System.IO;
using System.Security.Cryptography;

class MyClass {
    public void Encrypt(byte[] key, byte[] dataToEncrypt, MemoryStream target)
    {
        foobar(key, something, "http://domain.tld", plop);
        var url1 = "http://test.com";
    }
}

using System.IO;
using System.Security.Cryptography;

class MyClass {
    public void Encrypt(byte[] key, byte[] dataToEncrypt, MemoryStream target)
    {
        foo.bar(key, something, "http://domain.tld", plop);
    }
}

using System.IO;
using System.Security.Cryptography;

class MyClass {
    public void Encrypt(byte[] key, byte[] dataToEncrypt, MemoryStream target)
    {
        var httpUrl = "http://domain.tld";
        var ftpUrl = "ftp://";
    }
}

Compliant Code Examples

using System.IO;
using System.Security.Cryptography;

class MyClass {
    public void Encrypt(byte[] key, byte[] dataToEncrypt, MemoryStream target)
    {
        var httpUrl = "https://domain.tld";
        var ftpUrl = "ftps://";
        var bool1 = str.Contains("http://") || str.IndexOf("http://");
        var claimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/userdata";
        var customClaimType = "http://api.example.com/2012/identity/claims/hash";
    }
}