ベータ Shoulder はベータ版です — 結果が誤っている場合があります。皆さまのフィードバックが次に修正する内容を決定します。 フィードバックを送る
Shoulder.dev

開発者向け脅威インテリジェンス
🔒

Cleartext Transmission of Sensitive Information

🛡️ 6 件のルールが検出します

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit.

普及度
頻繁に悪用される
影響度
ハイ
5 件の重大度ハイのルール
予防
文書化済み
6 件の修正例
2 予防
2 予防

この脆弱性の修正方法

🐹 Go すべて表示 Go 詳細 →
Echo Running Without TLS HIGH

Use StartTLS instead of Start to enable HTTPS encryption

+1 -1 go 
  package main
  
  import "github.com/labstack/echo/v4"
  
  func main() {
      e := echo.New()
      e.POST("/api/login", loginHandler)
-     e.Start(":8080")
+     e.StartTLS(":443", "cert.pem", "key.pem")
  }
Fiber Running Without TLS HIGH

Use ListenTLS instead of Listen to enable HTTPS encryption

+1 -1 go 
  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New()
      app.Post("/api/login", loginHandler)
-     app.Listen(":3000")
+     app.ListenTLS(":443", "cert.pem", "key.pem")
  }
Gin Running Without TLS LOW

Use RunTLS instead of Run to enable HTTPS encryption

+1 -1 go 
  package main
  
  import "github.com/gin-gonic/gin"
  
  func main() {
      r := gin.Default()
      r.POST("/api/login", loginHandler)
-     r.Run(":8080")
+     r.RunTLS(":443", "cert.pem", "key.pem")
  }
☸️ Kubernetes すべて表示 Kubernetes 詳細 →
Ingress Missing TLS Configuration HIGH

Configure TLS on Ingress resources to encrypt traffic in transit

+8 -1 yaml 
  apiVersion: networking.k8s.io/v1
  kind: Ingress
- spec:
+ metadata:
+   annotations:
+     cert-manager.io/cluster-issuer: letsencrypt-prod
+ spec:
+   tls:
+   - hosts:
+     - example.com
+     secretName: example-tls
    rules:
    - host: example.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: web
              port:
                number: 80
Insecure TLS Verification Disabled HIGH

Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates

+1 -1 yaml 
  apiVersion: v1
  clusters:
  - cluster:
      server: https://192.168.0.100:8443
-     insecure-skip-tls-verify: true
+     certificate-authority: /path/to/ca.crt
    name: my-cluster
  kind: Config
🐍 Python すべて表示 Python 詳細 →
HTTP Used Instead of HTTPS HIGH

Use HTTPS for all external requests and enable SSL redirect in frameworks

+2 -2 python 
  import requests
  
- API_URL = "http://api.example.com"
- response = requests.get(f"{API_URL}/data")
+ API_URL = "https://api.example.com"
+ response = requests.get(f"{API_URL}/data", verify=True, timeout=10)
4 警告サイン
4 警告サイン

コードレビューで注目すべき点

これらのパターンはCleartext Transmission of Sensitive Informationの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠
Ingress exposes HTTP traffic without TLS encryption kubernetes-ingress-missing-tls
🟠
Kubernetes Ingress resources without TLS configuration kubernetes-ingress-missing-tls
🟠
TLS certificate verification disabled (vulnerable to MITM attacks) kubernetes-skip-tls-verify
🟠
when TLS certificate verification is disabled in Kubernetes configurations kubernetes-skip-tls-verify
🟠
use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, python-http-not-https
🔍

コードベースをスキャン: Cleartext Transmission of Sensitive Information

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示