Cleartext Transmission of Sensitive Information in the ftplib Module

PY003

cleartext_transmission

CWE-319

⚠️ Warning or ⛔️ Error

---

The Python module ftplib provides a number of functions for accessing FTP servers. However, the module does not provide any security features. This means that data transmitted over the network, including passwords, is sent in cleartext. This makes it possible for attackers to intercept and read this data.

The Python module ftplib should not be used for accessing FTP servers that contain sensitive data. There are a number of alternatives to ftplib that provide security features. These alternatives should be used instead of ftplib for accessing sensitive data.

Examples

ftplib.FTP

from ftplib import FTP


ftp = FTP("ftp.us.debian.org")
ftp.login()

ftp.cwd("debian")
ftp.retrlines("LIST")

ftp.quit()

ftplib.FTP.login

import ftplib


ftp = ftplib.FTP("ftp.us.debian.org")
ftp.login("user", "password")

ftp.cwd("debian")
ftp.retrlines("LIST")

ftp.quit()

Remediation

If the FTP protocol must be used and sensitive data will be transferred, it is recommended to secure the connection using FTP_TLS class. It's also important to call prot_p() to secure the data connection.

import ftplib


ftp = ftplib.FTP_TLS("ftp.us.debian.org")
ftp.login("user", "password")
ftp.prot_p()

ftp.cwd("debian")
ftp.retrlines("LIST")

ftp.quit()

Alternatives to ftplib

There are a number of alternatives to ftplib that provide security features. These alternatives include:

• Paramiko is a Python module that provides secure access to SSH and SFTP servers. Paramiko uses encryption to protect data transmitted over the network.

• Twisted is a Python framework that provides a number of network protocols, including SSH. Twisted can be used to create secure SFTP clients and servers.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY003) or rule category name (cleartext_transmission).

Using rule ID

fix

from ftplib import FTP


# suppress: PY003
ftp = FTP("ftp.us.debian.org")
ftp.login()

ftp.cwd("debian")
ftp.retrlines("LIST")

ftp.quit()

Using category name

fix

from ftplib import FTP


# suppress: cleartext_transmission
ftp = FTP("ftp.us.debian.org")
ftp.login()

ftp.cwd("debian")
ftp.retrlines("LIST")

ftp.quit()

See also

info

• ftplib — FTP protocol client
• CWE-319: Cleartext Transmission of Sensitive Information
• Paramiko
• Twisted