Skip to content
Branch: master
Find file History
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
src Whitelist http://xslthl.sf.net Apr 29, 2019
README.adoc Add context for custom rules Jun 5, 2019
build.gradle nohttp-cli is Spring Boot App Apr 3, 2019

README.adoc

Allows finding and replacing http:// with exclusions on URLs that https:// cannot be used.

nohttp

Today it is important for everything, including static sites, to be over https. It can be difficult to switch to https:// and then to maintain using https://. This is the core project that allows finding and replacing http:// URLs. For additional integrations refer to https://github.com/spring-io/nohttp

Thought Process

The recommended process for determining if it is ok to use http:// is:

  • If https is possible then use https

  • If you cannot use https, then consider the following:

    • If your project uses the URL to make a request over a network, then you need to use https

    • It is acceptable to use localhost to make a request using http since it does not leave the machine

    • If you need to test URLs that use http, then consider using TLD of test, example, invalid, or localhost as defined by rfc2606.

    • Links that users click on should prefer https, but if the site does not support https you may decide to whitelist the URL

    • If the link is an XML namespace name (which is just an identifier), then you can use http. The XML namespace location should still be https.

Whitelisted HTTP URLs

There are times when URLs cannot use https:// that are beyond our control. Fortunately, nohttp provides a default whitelist and whitelisting additional URLs.

Default Whitelist

The default whitelist includes a whitelist that impacts these primary categories:

  • localhost

  • URLs that use a TLD defined in https://tools.ietf.org/html/rfc2606 (i.e. tld of test, .example, invalid, localhost)

  • XML Namespace names (not the locations)

  • Java specific URLs that do not work over http. For example, Java Properties hard codes using http.

We will not add a whitelist entry for arbitrary sites that do not support https. The reasoning is that context is important. A specific project may provide a link to a site that does not support https. Ideally that site is updated to support https, but it is not considered a vulnerability. This means that the URL could be added to your custom whitelist. However, another project may be downloading from the same site that does not support https. In this case it is a vulnerability and needs to be fixed. Since nohttp cannot understand the context, it will not whitelist arbitrary sites that do not support https.

Adding Custom Rules

This project provides a default whitelist. However, other projects may end up with their own usecases. Fortunately, nohttp supports custom whitelist as well.

RegexHttpMatcher.addHttpUrlWhitelist(Predicate<String>)

You can invoke RegexHttpMatcher.addHttpUrlWhitelist(Predicate<String>) to add whitelists to the existing whitelist. The input to the Predicate is the URL that was found and should be checked as whitelisted or not.

RegexPredicate.createWhitelist(InputStream)

The simplest way to add custom whitelist is to use RegexPredicate.createWhitelist(InputStream). The format of the InputStream is defined as:

  • Each line contains a regular expression that should be whitelisted

  • Lines can begin with // to create a comment within the file

  • Lines are trimmed for whitespace

  • Lines that are empty are ignored

For example:

// Ignore Maven XML Namespace id of http://maven.apache.org/POM/4.0.0
^http://maven\.apache\.org/POM/4.0.0$
// Whitelist Company XML namespace names but not the locations (which end in .xsd)
^http://mycompany.test/xml/.*(?<!\.(xsd))$
You can’t perform that action at this time.