Prevent use of http protocol

Docs > Plateforme de sécurité Datadog > Code Security > Static Analysis (SAST) > SAST Rules > Prevent use of http protocol

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: ruby-security/no-http

Language: Ruby

Severity: Info

Category: Security

CWE: 319

Description

This rule is designed to prevent the use of the insecure HTTP protocol in your Ruby code. The HTTP protocol does not encrypt the data that is sent between the client and the server, which can lead to sensitive information being intercepted by malicious parties. This is particularly risky when dealing with sensitive data such as API keys, user credentials, or personal user information.

The importance of this rule lies in the security and integrity of your application. By using an unsecured protocol like HTTP, you expose your application and its users to potential data breaches. A breach can lead to loss of trust, legal liability, and significant remediation costs.

To avoid violating this rule, always use the HTTPS protocol when making network requests. HTTPS encrypts the data sent between the client and server, protecting it from interception. By using libraries like Faraday, HTTPX, HTTParty, RestClient, or Ruby’s built-in Net::HTTP, you can specify HTTPS by simply replacing ‘http://’ with ‘https://’. For example, instead of HTTP.get("http://example.org"), use HTTP.get("https://example.org"). Always ensure that any third-party services your application interacts with support HTTPS.

Non-Compliant Code Examples

require "faraday"
require 'uri'

params = {title: "foo", body: "bar", userID: 1}
encoded_params = URI.encode_www_form(params)
response = Faraday.post("http://example.org", encoded_params)
p response.body if response.status == 201

require "httpx"

response = HTTPX.get("http://www.example.org")
puts response.body if response.status == 200

require "http"

response = HTTP.get("http://example.org", :params => {:api_key => "API_KEY"})
response = HTTP.post("http://example.org", :form => something)

require 'httparty'

response = HTTParty.get('http://example.org')
puts response.body if response.code == 200

response = HTTParty.get('http://example.com', format: :plain)
RestClient.post "http://example.com", {'x' => 1}.to_json, {content_type: :json, accept: :json}

require 'uri'
require 'net/http'

uri = URI('http://example.org')