Replaced deprecated and insecure Apache HTTP client
pixee:java/replace-apache-defaulthttpclient​
Importance | Review Guidance | Requires Scanning Tool |
---|---|---|
MEDIUM | Merge After Cursory Review | No |
This change replaces all instances of the deprecated DefaultHttpClient
from Apache's HTTP client library with a more secure, modern implementation from the same package.
This type does not support using TLS 1.2 and could be exposing the code to many different network security risks because of it.
Our changes look something like this:
- HttpClient client = new DefaultHttpClient();
+ HttpClient client = HttpClientBuilder.create().useSystemProperties().build();
References​
- https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT
- https://www.ibm.com/support/pages/im-using-apache-httpclient-make-outbound-call-my-web-application-running-websphere-application-server-traditional-and-im-getting-ssl-handshake-error-how-can-i-debug
- https://cwe.mitre.org/data/definitions/326.html