测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
Shoulder.dev

开发者威胁情报
🔒

Cleartext Transmission of Sensitive Information

🛡️ 6 条规则检测到此问题

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit.

普遍性
频繁被利用
影响
5 条严重级别为高的规则
预防
已记录
6 个修复示例
2 预防
2 预防

如何修复此漏洞

🐹 Go 查看全部 Go 详情 →
Echo Running Without TLS HIGH

Use StartTLS instead of Start to enable HTTPS encryption

+1 -1 go 
  package main
  
  import "github.com/labstack/echo/v4"
  
  func main() {
      e := echo.New()
      e.POST("/api/login", loginHandler)
-     e.Start(":8080")
+     e.StartTLS(":443", "cert.pem", "key.pem")
  }
Fiber Running Without TLS HIGH

Use ListenTLS instead of Listen to enable HTTPS encryption

+1 -1 go 
  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New()
      app.Post("/api/login", loginHandler)
-     app.Listen(":3000")
+     app.ListenTLS(":443", "cert.pem", "key.pem")
  }
Gin Running Without TLS LOW

Use RunTLS instead of Run to enable HTTPS encryption

+1 -1 go 
  package main
  
  import "github.com/gin-gonic/gin"
  
  func main() {
      r := gin.Default()
      r.POST("/api/login", loginHandler)
-     r.Run(":8080")
+     r.RunTLS(":443", "cert.pem", "key.pem")
  }
☸️ Kubernetes 查看全部 Kubernetes 详情 →
Ingress Missing TLS Configuration HIGH

Configure TLS on Ingress resources to encrypt traffic in transit

+8 -1 yaml 
  apiVersion: networking.k8s.io/v1
  kind: Ingress
- spec:
+ metadata:
+   annotations:
+     cert-manager.io/cluster-issuer: letsencrypt-prod
+ spec:
+   tls:
+   - hosts:
+     - example.com
+     secretName: example-tls
    rules:
    - host: example.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: web
              port:
                number: 80
Insecure TLS Verification Disabled HIGH

Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates

+1 -1 yaml 
  apiVersion: v1
  clusters:
  - cluster:
      server: https://192.168.0.100:8443
-     insecure-skip-tls-verify: true
+     certificate-authority: /path/to/ca.crt
    name: my-cluster
  kind: Config
🐍 Python 查看全部 Python 详情 →
HTTP Used Instead of HTTPS HIGH

Use HTTPS for all external requests and enable SSL redirect in frameworks

+2 -2 python 
  import requests
  
- API_URL = "http://api.example.com"
- response = requests.get(f"{API_URL}/data")
+ API_URL = "https://api.example.com"
+ response = requests.get(f"{API_URL}/data", verify=True, timeout=10)
4 警告信号
4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Cleartext Transmission of Sensitive Information漏洞。在代码审查和安全审计中注意查找。

🟠
Ingress exposes HTTP traffic without TLS encryption kubernetes-ingress-missing-tls
🟠
Kubernetes Ingress resources without TLS configuration kubernetes-ingress-missing-tls
🟠
TLS certificate verification disabled (vulnerable to MITM attacks) kubernetes-skip-tls-verify
🟠
when TLS certificate verification is disabled in Kubernetes configurations kubernetes-skip-tls-verify
🟠
use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, python-http-not-https
🔍

扫描你的代码库: Cleartext Transmission of Sensitive Information

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则