hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-11 10:04:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add query to find HTTP requests that disable SSL validation

Browse Source
This commit is contained in:
Nick Rolfe
2021-09-29 12:53:57 +01:00
parent c50a6c180f
commit 1ce458fa33
29 changed files with 932 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
ql/src/queries/security/cwe-295/RequestWithoutValidation.qhelp Normal file
View File

@@ -0,0 +1,52 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Certificate validation is the standard authentication method of a secure TLS
connection. Without it, there is no guarantee about who the other party of a TLS
connection is, making man-in-the-middle attacks more likely to occur.
</p>
<p>
When testing software that uses TLS connections, it may be useful to
disable the certificate validation temporarily. But disabling it in
production environments is strongly discouraged, unless an alternative
method of authentication is used.
</p>
</overview>
<recommendation>
<p>
Do not disable certificate validation for TLS connections.
</p>
</recommendation>
<example>
<p>
The following example shows an HTTPS connection that makes a GET request to a
remote server. But the connection is not secure since the
<code>verify_mode</code> option of the connection is set to
<code>OpenSSL::SSL::VERIFY_NONE</code>. As a consequence, anyone can impersonate
the remote server.
</p>
<sample src="examples/RequestWithoutValidation.rb"/>
<p>
To make the connection secure, the <code>verify_mode</code> option should have
its default value, or be explicitly set to
<code>OpenSSL::SSL::VERIFY_PEER</code>.
</p>
</example>
<references>
<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">Transport Layer Security (TLS)</a></li>
<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attack</a></li>
<li>Ruby-doc: <a href="https://ruby-doc.org/stdlib-3.0.2/libdoc/net/http/rdoc/Net/HTTP.html">Net::HTTP</a></li>
</references>
</qhelp>

20
ql/src/queries/security/cwe-295/RequestWithoutValidation.ql Normal file
View File

@@ -0,0 +1,20 @@
/**
* @name Request without certificate validation
* @description Making a request without certificate validation can allow
* man-in-the-middle attacks.
* @kind problem
* @problem.severity warning
* @security-severity 7.5
* @precision medium
* @id rb/request-without-cert-validation
* @tags security
* external/cwe/cwe-295
*/
import ruby
import codeql.ruby.Concepts
import codeql.ruby.DataFlow
from HTTP::Client::Request request, DataFlow::Node disablingNode
where request.disablesCertificateValidation(disablingNode)
select request, "This request $@.", disablingNode, "does not validate certificates"

9
ql/src/queries/security/cwe-295/examples/RequestWithoutValidation.rb Normal file
View File

@@ -0,0 +1,9 @@
require "net/https"
require "uri"
uri = URI.parse "https://example.com/"
http = Net::HTTP.new uri.host, uri.port
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new uri.request_uri
puts http.request(request).body