베타 Shoulder는 베타 버전입니다 — 결과가 가끔 잘못될 수 있습니다. 여러분의 피드백이 다음에 무엇을 고칠지 결정합니다. 피드백 공유
🔒

Cleartext Transmission of Sensitive Information

🛡️ 6 개의 규칙이 이를 탐지합니다

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit.

보급률
높음
자주 악용됨
영향
높음
5개의 높은 심각도 규칙
예방
문서화됨
6개의 수정 예시
2 예방
2 예방

이 취약점을 수정하는 방법

Echo Running Without TLS HIGH

Use StartTLS instead of Start to enable HTTPS encryption

+1 -1 go
  package main
  
  import "github.com/labstack/echo/v4"
  
  func main() {
      e := echo.New()
      e.POST("/api/login", loginHandler)
-     e.Start(":8080")
+     e.StartTLS(":443", "cert.pem", "key.pem")
  }
  
Fiber Running Without TLS HIGH

Use ListenTLS instead of Listen to enable HTTPS encryption

+1 -1 go
  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New()
      app.Post("/api/login", loginHandler)
-     app.Listen(":3000")
+     app.ListenTLS(":443", "cert.pem", "key.pem")
  }
  
Gin Running Without TLS LOW

Use RunTLS instead of Run to enable HTTPS encryption

+1 -1 go
  package main
  
  import "github.com/gin-gonic/gin"
  
  func main() {
      r := gin.Default()
      r.POST("/api/login", loginHandler)
-     r.Run(":8080")
+     r.RunTLS(":443", "cert.pem", "key.pem")
  }
  
Ingress Missing TLS Configuration HIGH

Configure TLS on Ingress resources to encrypt traffic in transit

+8 -1 yaml
  apiVersion: networking.k8s.io/v1
  kind: Ingress
- spec:
+ metadata:
+   annotations:
+     cert-manager.io/cluster-issuer: letsencrypt-prod
+ spec:
+   tls:
+   - hosts:
+     - example.com
+     secretName: example-tls
    rules:
    - host: example.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: web
              port:
                number: 80
  
Insecure TLS Verification Disabled HIGH

Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates

+1 -1 yaml
  apiVersion: v1
  clusters:
  - cluster:
      server: https://192.168.0.100:8443
-     insecure-skip-tls-verify: true
+     certificate-authority: /path/to/ca.crt
    name: my-cluster
  kind: Config
  
HTTP Used Instead of HTTPS HIGH

Use HTTPS for all external requests and enable SSL redirect in frameworks

+2 -2 python
  import requests
  
- API_URL = "http://api.example.com"
- response = requests.get(f"{API_URL}/data")
+ API_URL = "https://api.example.com"
+ response = requests.get(f"{API_URL}/data", verify=True, timeout=10)
  
4 경고 신호
4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Cleartext Transmission of Sensitive Information 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠
Ingress exposes HTTP traffic without TLS encryption kubernetes-ingress-missing-tls
🟠
Kubernetes Ingress resources without TLS configuration kubernetes-ingress-missing-tls
🟠
TLS certificate verification disabled (vulnerable to MITM attacks) kubernetes-skip-tls-verify
🟠
when TLS certificate verification is disabled in Kubernetes configurations kubernetes-skip-tls-verify
🟠
use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, python-http-not-https
🔍

코드베이스를 스캔하세요: Cleartext Transmission of Sensitive Information

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.