[False Positive] HTTP request to localhost

Rule ID

DS137138

What the rule matched

        let resp = client
            .get("http://127.0.0.1:8080/infra/ready")

Why should this not be matched?

I believe the guidance in DS137138 is overly prescriptive. DS440000 is a bit more nuanced:

TLS Everywhere is a monicker the really means “encrypt all network traffic whenever it crosses a trust boundary”. A trust boundary is just a fancy phrase meaning, “where you trust one side differently than the other”. However, like all things, there’s some grey-area in here. … Scenarios where you almost certainly don’t cross a trust bounary include:

• Connecting to a service running on the same operating system.

I think this rule shouldn’t match if the request is to localhost or 127.0.0.1.

In terms of motivation for why we’re doing non-TLS requests to localhost: this endpoint is exposed to be used for Kubernetes health probes, described at Configure Liveness, Readiness and Startup Probes#HTTP Probes. These are expected to be HTTP, and even with TLS it skips certificate verification so adding TLS doesn’t add any value:

For an HTTP probe, the kubelet sends an HTTP request to the specified path and port to perform the check. The kubelet sends the probe to the pod’s IP address, unless the address is overridden by the optional host field in httpGet. If scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification.