Rule Information
Tags
pythonurllibrequest-objectplaintexthttpCWE-319OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-062 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
urllib.request.Request() creates a request object that encapsulates a URL, headers, and request body. When the URL in the Request object uses http:// rather than https://, all data transmitted including authentication headers, API keys, request bodies, and cookies is sent in plaintext over the network.
urllib.request.OpenerDirector (obtained via urllib.request.build_opener()) provides a customizable request opener. When configured without proper HTTPS handlers or used with HTTP URLs, it has the same cleartext transmission risk.
This rule audits urllib.request.Request() and urllib.request.build_opener() usage to ensure HTTPS URLs are used and no insecure handlers are installed.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Authentication Header Exposure
Authentication headers added to Request objects (Authorization, X-API-Key, Cookie) are transmitted in plaintext when HTTP URLs are used, exposing credentials to network observers.
2
Request Body Disclosure
POST request bodies containing passwords, form data, file contents, or API parameters are transmitted without encryption, enabling data theft by network observers.
3
Custom Handler Security Bypass
OpenerDirector with custom handlers can install insecure protocols or disable default security behaviors. Handlers that bypass certificate verification or add HTTP Basic Auth to HTTP (not HTTPS) URLs create additional security risks.
4
Redirect Security
Custom openers may handle redirects differently from urlopen(), potentially following redirects from HTTPS to HTTP URLs or not handling security-sensitive redirect scenarios correctly.
How to Fix
Recommended remediation steps
- 1Validate that all URLs in urllib.request.Request() objects use the https:// scheme before the request is executed.
- 2When using OpenerDirector, audit all installed handlers to ensure no insecure HTTP handlers or certificate bypass handlers are used.
- 3Pass an explicit ssl.create_default_context() to urlopen() when executing HTTPS Request objects for clarity and security.
- 4Consider migrating from urllib.request.Request/OpenerDirector to the requests library for simpler, more secure HTTP client code.
- 5Add URL scheme validation in any code that accepts URLs from configuration or user input before using them in urllib.request.Request().
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to urllib.request.Request(), urllib.request.build_opener(), and urllib.request.install_opener() in Python source code. All call sites are flagged to prompt review of the URL scheme and handler configuration for security.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
PCI DSS v4.0
Requirement 4.2.1 - Use strong cryptography for cardholder data transmission
OWASP Top 10
A02:2021 - Cryptographic Failures
NIST SP 800-52 Revision 2
TLS with certificate validation required for all sensitive data transmission
GDPR Article 32
Appropriate technical measures including encryption of personal data in transit
References
External resources and documentation
Similar Rules
Explore related security rules for Python
MEDIUM
HTTP Request Without TLS (requests library)
HTTP URLs in requests calls transmit data in plaintext without encryption. Use HTTPS URLs for sensitive data transmission.
MEDIUM
Insecure urllib.request.urlopen() Usage
urllib.request.urlopen() over HTTP transmits data in plaintext. Verify HTTPS URLs are used and SSL context is properly configured.
HIGH
Certificate Validation Disabled (verify=False)
TLS certificate validation is explicitly disabled via verify=False or CERT_NONE, making connections vulnerable to man-in-the-middle attacks.
Frequently Asked Questions
Common questions about Insecure urllib Request Object Usage
urllib.request.Request() creates a request object that stores the URL, headers, data,
and method without making the network connection. urllib.request.urlopen() actually
executes the HTTP request. You can pass a Request object to urlopen() to execute it.
The security concern is the URL scheme stored in the Request object when it is executed.
No. build_opener() creates an opener with configurable handlers. It becomes insecure
if handlers are installed that bypass certificate verification (HTTPSHandler with
an unverified context) or if HTTP URLs are used with credential headers. Review
all handlers installed via build_opener().
Use urllib.request.HTTPPasswordMgrWithDefaultRealm() and urllib.request.HTTPBasicAuthHandler()
with the opener. Ensure the URL uses https:// so credentials are not transmitted in
plaintext. Alternatively, add the Authorization header directly to the Request object.
HTTPRedirectHandler: controls redirect behavior. ProxyHandler: routes traffic through
a proxy (ensure proxy uses HTTPS). HTTPSHandler: controls SSL context (ensure it uses
ssl.create_default_context()). UnknownHandler: handles unknown protocols (avoid). Any
custom handler that bypasses authentication or certificate verification.
urllib.request.install_opener() sets a global default opener that affects all subsequent
urlopen() calls in the process. Avoid installing global openers with reduced security
settings as they affect all HTTP requests, not just the intended ones. Use local openers
passed explicitly to urlopen() instead.
The rule targets Python 3 urllib.request patterns. Python 2 used urllib and urllib2
which are not available in Python 3. Code that imports from six.moves.urllib or
uses compatibility shims is not directly detected by this rule.
New feature
Get these findings posted directly on your GitHub pull requests
The Insecure urllib Request Object Usage rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.