Skip to main content

Cleartext Transmission of Sensitive Information in the imaplib Module

PY008
cleartext_transmission
CWE-319
⛔️ Error

The Python module imaplib provides a number of functions for accessing IMAP servers. However, the default behavior of the module does not provide utilize secure connections. This means that data transmitted over the network, including passwords, is sent in cleartext. This makes it possible for attackers to intercept and read this data.

The Python module imaplib should only in a secure mannner to protect sensitive data when accessing IMAP servers.

Example

import getpass
import imaplib


M = imaplib.IMAP4()
M.login(getpass.getuser(), getpass.getpass())
M.select()
typ, data = M.search(None, 'ALL')
for num in data[0].split():
    typ, data = M.fetch(num, '(RFC822)')
    print('Message %s\n%s\n' % (num, data[0][1]))
M.close()
M.logout()

Remediation

If the IMAP protocol must be used and sensitive data will be transferred, it is recommended to secure the connection using IMAP4_SSL class. Alternatively, the starttls function can be used to enter a secure session.

import getpass
import imaplib


M = imaplib.IMAP4_SSL()
M.login(getpass.getuser(), getpass.getpass())
M.select()
typ, data = M.search(None, 'ALL')
for num in data[0].split():
    typ, data = M.fetch(num, '(RFC822)')
    print('Message %s\n%s\n' % (num, data[0][1]))
M.close()
M.logout()

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY008) or rule category name (cleartext_transmission).

Fix Iconfix
import getpass
import imaplib


# suppress: PY008
M = imaplib.IMAP4()
# suppress: PY008
M.login(getpass.getuser(), getpass.getpass())
M.select()
typ, data = M.search(None, 'ALL')
for num in data[0].split():
    typ, data = M.fetch(num, '(RFC822)')
    print('Message %s\n%s\n' % (num, data[0][1]))
M.close()
M.logout()

See also

info
Last updated on