fix(security): harden curl commands with explicit TLS protocol enforcement

rmottanet · rmottanet · commit 2e2e753a5083 · 2026-01-26T21:14:56.000-03:00
- Replaced basic `curl -sSL` with secure configuration: `curl --proto "=https" --tlsv1.2 -sSf -L`
- Added explicit HTTPS-only protocol enforcement (`--proto "=https"`)
- Enforced TLS 1.2 minimum version for modern encryption
- Used `-sS` (silent but show errors) instead of `-sSL` for better error visibility
- Maintained redirect following (`-L`) functionality securely

This addresses SonarCloud security vulnerabilities:
- S5332: Not enforcing HTTPS might allow insecure redirects
- S6506: Allowing downgrades to clear-text protocol is security-sensitive
- Provides defense against SSL stripping and protocol downgrade attacks

Security improvements:
1. Prevents fallback to insecure HTTP via `--proto "=https"`
2. Enforces modern TLS 1.2+ encryption
3. Maintains security while preserving redirect functionality
4. Better error reporting with `-S` flag for debugging
diff --git a/src/bitbucket/bb-pr-create.sh b/src/bitbucket/bb-pr-create.sh
@@ -56,7 +56,7 @@ function create_bitbucket_pullrequest() {
     endpoint="$(build_bb_endpoint "PR" "$WORKSPACE" "$REPO")"
     
     # Create the repository using curl
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "$BITBUCKET_AUTH" \
         -H 'Accept: application/json' \
         -H 'Content-Type: application/json' \
diff --git a/src/bitbucket/bb-pr-merge.sh b/src/bitbucket/bb-pr-merge.sh
@@ -57,7 +57,7 @@ function create_bitbucket_pullrequest() {
     endpoint="$endpoint/$pr/merge"
     
     # Create the repository using curl
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "$BITBUCKET_AUTH" \
         -H 'Accept: application/json' \
         -H 'Content-Type: application/json' \
diff --git a/src/bitbucket/bb-pr-update.sh b/src/bitbucket/bb-pr-update.sh
@@ -68,7 +68,7 @@ function update_bitbucket_pullrequest() {
     endpoint="$pr_endpoint/$pr"
        
     # Create the repository using curl
-    response=$(curl -sSL -X PUT "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PUT "$endpoint" \
         -H "$BITBUCKET_AUTH" \
         -H 'Accept: application/json' \
         -H 'Content-Type: application/json' \
diff --git a/src/bitbucket/bb-repo-create.sh b/src/bitbucket/bb-repo-create.sh
@@ -48,7 +48,7 @@ function create_bitbucket_repo() {
     endpoint="https://api.bitbucket.org/2.0/repositories/$WORKSPACE/$REPO"
     
     # Create Bitbucket repository
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "$BITBUCKET_AUTH" \
         -H 'Accept: application/json' \
         -H 'Content-Type: application/json' \
diff --git a/src/bitbucket/bb-repo-delete.sh b/src/bitbucket/bb-repo-delete.sh
@@ -37,7 +37,7 @@ function delete_bitbucket_repo() {
     
     if [[ $confirmation =~ ^[Yy]$ ]]; then
         # Delete the repository
-        response=$(curl -sSL -X DELETE "$endpoint" \
+        response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X DELETE "$endpoint" \
         -H "$BITBUCKET_AUTH" )
 
         # Check if there are errors
diff --git a/src/bitbucket/bb-repo-edit.sh b/src/bitbucket/bb-repo-edit.sh
@@ -46,7 +46,7 @@ function edit_bitbucket_repo() {
     endpoint="https://api.bitbucket.org/2.0/repositories/$WORKSPACE/$REPO"
 
     # Edit Bitbucket repository
-    response=$(curl -sSL -X PUT "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PUT "$endpoint" \
         -H "$BITBUCKET_AUTH" \
         -H 'Accept: application/json' \
         -H 'Content-Type: application/json' \
diff --git a/src/github/gh-notification-delete.sh b/src/github/gh-notification-delete.sh
@@ -29,7 +29,7 @@ function delete_github_notifications() {
     endpoint="https://api.github.com/notifications/threads/$NOTIFICATION_ID"
 
     # Delete notifications
-    response=$(curl -sSL -X DELETE "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X DELETE "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" )
diff --git a/src/github/gh-notification-list.sh b/src/github/gh-notification-list.sh
@@ -20,7 +20,7 @@ function list_github_notifications() {
     endpoint="https://api.github.com/notifications"
 
     # Get notifications
-    response=$(curl -sSL "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" )
diff --git a/src/github/gh-pr-create.sh b/src/github/gh-pr-create.sh
@@ -49,7 +49,7 @@ function create_github_pullrequest() {
     endpoint="$(build_gh_endpoint "PR" "$OWNER" "$REPO")"
     
     # Create the repository using curl
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" \
diff --git a/src/github/gh-pr-merge.sh b/src/github/gh-pr-merge.sh
@@ -55,7 +55,7 @@ function merge_github_pullrequest() {
     endpoint="$pr_endpoint/$pr/merge"
     
     # Create the repository using curl
-    response=$(curl -sSL -X PUT "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PUT "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" \
diff --git a/src/github/gh-pr-update.sh b/src/github/gh-pr-update.sh
@@ -58,7 +58,7 @@ function update_github_pullrequest() {
     endpoint="$pr_endpoint/$pr"
     
     # Create the repository using curl
-    response=$(curl -sSL -X PATCH "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PATCH "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" \
diff --git a/src/github/gh-repo-create.sh b/src/github/gh-repo-create.sh
@@ -23,7 +23,7 @@ function create_github_repo() {
     endpoint="https://api.github.com/user/repos"
     
     # Create the repository using curl
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" \
diff --git a/src/github/gh-repo-delete.sh b/src/github/gh-repo-delete.sh
@@ -33,7 +33,7 @@ function delete_github_repo() {
     
     if [[ $confirmation =~ ^[Yy]$ ]]; then
         # Delete the repository using curl
-        response=$(curl -sSL -X DELETE "$endpoint" \
+        response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X DELETE "$endpoint" \
             -H "Accept: application/vnd.github+json" \
             -H "Authorization: Bearer $GITHUB_TOKEN" \
             -H "X-GitHub-Api-Version: 2022-11-28" )
diff --git a/src/github/gh-repo-edit.sh b/src/github/gh-repo-edit.sh
@@ -42,7 +42,7 @@ function edit_github_repo() {
     endpoint="https://api.github.com/repos/$OWNER/$REPO"
     
     # Edit the repository using curl
-    response=$(curl -sSL -X PATCH "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PATCH "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" \
diff --git a/src/github/gh-repo-list.sh b/src/github/gh-repo-list.sh
@@ -19,17 +19,17 @@ function list_github_repo() {
     
     # Get all repositories
     while [ "$endpoint" ]; do
-        repos=$(curl -sSL -H "Authorization: token $GITHUB_TOKEN" "$endpoint")
+        repos=$(curl --proto "=https" --tlsv1.2 -sSf -L -H "Authorization: token $GITHUB_TOKEN" "$endpoint")
         echo "$repos" >> "$tmp_file"
         
         # Iterate through each repository in the response
         for repo_url in $(echo "$repos" | jq -r '.[].url'); do
-            response=$(curl -sSL -H "Authorization: token $GITHUB_TOKEN" "$repo_url")
+            response=$(curl --proto "=https" --tlsv1.2 -sSf -L -H "Authorization: token $GITHUB_TOKEN" "$repo_url")
             echo "$response" >> "$tmp_file"
         done
         
         # Check for more pages
-        endpoint=$(curl -sSL -I -H "Authorization: token $GITHUB_TOKEN" "$endpoint" | grep -i '^link:' | sed -n 's/.*<\(.*\)>; rel="next".*/\1/p')
+        endpoint=$(curl --proto "=https" --tlsv1.2 -sSf -L -I -H "Authorization: token $GITHUB_TOKEN" "$endpoint" | grep -i '^link:' | sed -n 's/.*<\(.*\)>; rel="next".*/\1/p')
     done
     
     less "$tmp_file"                                    
diff --git a/src/github/gh-search-repo.sh b/src/github/gh-search-repo.sh
@@ -18,7 +18,7 @@ function search_github_repo() {
     # Construct API Endpoint
     endpoint="https://api.github.com/search/repositories?q=$QUERY"
 
-    response=$(curl -s "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L "$endpoint" \
         -H "Accept: application/vnd.github+json" \
         -H "Authorization: Bearer $GITHUB_TOKEN" \
         -H "X-GitHub-Api-Version: 2022-11-28" \
diff --git a/src/gitlab/gl-pr-create.sh b/src/gitlab/gl-pr-create.sh
@@ -52,7 +52,7 @@ function create_gitlab_pullrequest() {
     endpoint="$(build_gl_endpoint "PR" "$OWNER" "$REPO")"
     
     # Create the repository using curl
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $GITLAB_TOKEN" \
         -d "$payload" )
diff --git a/src/gitlab/gl-pr-merge.sh b/src/gitlab/gl-pr-merge.sh
@@ -51,7 +51,7 @@ function merge_gitlab_pullrequest() {
     endpoint="$pr_endpoint/$pr/merge"
     
     # Create the repository using curl
-    response=$(curl -sSL -X PUT "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PUT "$endpoint" \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $GITLAB_TOKEN" \
         -d "$payload" )
diff --git a/src/gitlab/gl-pr-update.sh b/src/gitlab/gl-pr-update.sh
@@ -56,7 +56,7 @@ function update_gitlab_pullrequest() {
     endpoint="$pr_endpoint/$pr"
     
     # Create the repository using curl
-    response=$(curl -sSL -X PATCH "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PATCH "$endpoint" \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $GITLAB_TOKEN" \
         -d "$payload" )
diff --git a/src/gitlab/gl-repo-create.sh b/src/gitlab/gl-repo-create.sh
@@ -23,7 +23,7 @@ function create_gitlab_repo() {
     endpoint="https://gitlab.com/api/v4/projects"
     
     # Create GitLab repository using curl
-    response=$(curl -sSL -X POST "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X POST "$endpoint" \
         -H "Authorization: Bearer $GITLAB_TOKEN" \
         -H "Content-Type: application/json" \
         -d "$payload" )
diff --git a/src/gitlab/gl-repo-delete.sh b/src/gitlab/gl-repo-delete.sh
@@ -34,7 +34,7 @@ function delete_gitlab_repo() {
     
     if [[ $confirmation =~ ^[Yy]$ ]]; then
         # Delete the repository using curl
-        response=$(curl -sSL -X DELETE "$endpoint" \
+        response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X DELETE "$endpoint" \
             -H "Authorization: Bearer $GITLAB_TOKEN" )
 
         echo "$response" | jq -r '.message'
diff --git a/src/gitlab/gl-repo-edit.sh b/src/gitlab/gl-repo-edit.sh
@@ -43,7 +43,7 @@ function edit_gitlab_repo() {
     endpoint="https://gitlab.com/api/v4/projects/$OWNER$SLASH_ENCODED$REPO"
         
     # Edit GitLab repository using curl
-    response=$(curl -sSL -X PUT "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L -X PUT "$endpoint" \
         -H "Authorization: Bearer $GITLAB_TOKEN" \
         -H "Content-Type: application/json" \
         -d "$payload" )
diff --git a/src/gitlab/gl-search-repo.sh b/src/gitlab/gl-search-repo.sh
@@ -20,7 +20,7 @@ function search_gitlab_repo() {
     endpoint="https://gitlab.com/api/v4/search?scope=projects&search=$QUERY"
 
     # CURL and jq
-    response=$(curl -s "$endpoint" \
+    response=$(curl --proto "=https" --tlsv1.2 -sSf -L "$endpoint" \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $GITLAB_TOKEN" \
         | jq -r '.[] | "Name: \(.name), Description: \(.description), Web URL: \(.web_url)"' )
diff --git a/src/utils/down_gitignore.sh b/src/utils/down_gitignore.sh
@@ -22,7 +22,7 @@ function download_gitignore() {
     gitignore_url="https://gitlab.com/api/v4/templates/gitignores/$language_name"
     
     # Download `.gitignore` file
-    curl -sSL "$gitignore_url" | jq -r '.content' > .gitignore
+    curl --proto "=https" --tlsv1.2 -sSf -L "$gitignore_url" | jq -r '.content' > .gitignore
 }
 
 
diff --git a/src/utils/down_license.sh b/src/utils/down_license.sh
@@ -28,7 +28,7 @@ function download_license() {
     license_url="https://gitlab.com/api/v4/templates/licenses/$license_key?project=$repo_name&fullname=$license_holder"
     
     # Download `LICENSE` file 
-    curl -sSL "$license_url" | jq -r '.content' > LICENSE
+    curl --proto "=https" --tlsv1.2 -sSf -L "$license_url" | jq -r '.content' > LICENSE
 }
 
 
