mcp-server-semgrep/semgrep-rules/python/requests/security/no-auth-over-http.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: no-auth-over-http
  fix-regex:
    regex: http:\/\/
    replacement: https://
    count: 1
  message: >-
    Authentication detected over HTTP. HTTP does not provide any
    encryption or protection for these authentication credentials.
    This may expose these credentials to unauthorized parties.
    Use 'https://' instead.
  metadata:
    cwe:
    - 'CWE-523: Unprotected Transport of Credentials'
    owasp:
    - A02:2017 - Broken Authentication
    - A02:2021 - Cryptographic Failures
    source-rule-url: https://pypi.org/project/flake8-flask/
    references:
    - https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/
    - https://bento.dev/checks/requests/no-auth-over-http/
    category: security
    technology:
    - requests
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
  languages: [python]
  severity: ERROR
  pattern-either:
  - pattern: requests.$W("=~/http:\/\/.*/", ..., auth=$X, ...)
  - pattern: |
      $URL = "=~/http:\/\/.../"
      ...
      requests.$W($URL, ..., auth=$X, ...)