• CodeQL query help documentation »
• CodeQL query help for C and C++ »

Failure to use HTTPS URLs

ID: cpp/non-https-url
Kind: path-problem
Security severity: 8.1
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-319
   - external/cwe/cwe-345
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Constructing URLs with the HTTP protocol can lead to unsecured connections.

Recommendation

When you construct a URL, ensure that you use an HTTPS URL rather than an HTTP URL. Then, any connections that are made using that URL are secure SSL connections.

Example

The following example shows two ways of opening a connection using a URL. When the connection is opened using an HTTP URL rather than an HTTPS URL, the connection is unsecured. When the connection is opened using an HTTPS URL, the connection is a secure SSL connection.

void openUrl(char *url)
{
	// ...
}

openUrl("http://example.com"); // BAD

openUrl("https://example.com"); // GOOD: Opening a connection to a URL using HTTPS enforces SSL.

References

• OWASP: Transport Layer Protection Cheat Sheet.

• OWASP Top 10: A08:2021 - Software and Data Integrity Failures.

• Common Weakness Enumeration: CWE-319.

• Common Weakness Enumeration: CWE-345.

• © GitHub, Inc.
• Terms
• Privacy