Requests check: No auth over http

This check detects when auth parameter is possibly used over http://, which could expose credentials.

Description

For requests, the API-s do not guarentee that we use HTTP over SSL even when we transport sensitive information like auth token. This introduces CWE-522: Insufficiently Protected Credentials vulnerability. It is generally considered bad practice to use HTTP with authentication tokens. Use HTTPS as detailed in rfc2818.

This check will alert on these cases, for example:

import requests
r = requests.get('http://MYURL.com', auth=('user', 'pass'))


from requests import get, post
post('http://MYURL.com', auth=('user', 'pass'))

This check will catch above pattern. However, it will not fire on

import requests
r = requests.get('http://MYURL.com'')

# No import
r = requests.get('http://MYURL.com'', auth=('user', 'pass'))
$> flake8 --select=r2c example.py
example.py:5:1: r2c-requests-no-auth-over-http auth is possibly used over http://, which could expose credentials. possible_urls: ['http://MYURL.com']

References