hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Add qhelp and examples (translated from Go, by Copilot).

Browse Source
This commit is contained in:
Geoffrey White
2025-11-12 16:50:50 +00:00
parent c77eef39e2
commit bb78fdf150
3 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.qhelp Normal file
View File

@@ -0,0 +1,39 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
In Rust, the <code>danger_accept_invalid_certs</code> and <code>danger_accept_invalid_hostnames</code> options on TLS connectors and HTTP clients control whether certificate and hostname verification are performed. If set to <code>true</code>, the client will accept any certificate and any host name, making it susceptible to man-in-the-middle attacks.
</p>
</overview>
<recommendation>
<p>
Do not set <code>danger_accept_invalid_certs</code> or <code>danger_accept_invalid_hostnames</code> to <code>true</code> except in tests or controlled environments. In production, always ensure certificate and hostname verification are enabled to prevent security risks.
</p>
</recommendation>
<example>
<p>
The following code snippet shows a function that creates a TLS or HTTP client with certificate verification disabled:
</p>
<sample src="DisabledCertificateCheckBad.rs"/>
<p>
While this may be acceptable in a test, it should not be used in production code. Instead, always configure clients to verify certificates and hostnames:
</p>
<sample src="DisabledCertificateCheckGood.rs"/>
</example>
<references>
<li>
Rust native-tls crate: <a href="https://docs.rs/native-tls/latest/native_tls/struct.TlsConnectorBuilder.html">TlsConnectorBuilder</a>.
</li>
<li>
Rust reqwest crate: <a href="https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html">ClientBuilder</a>.
</li>
<li>
Mozilla: <a href="https://infosec.mozilla.org/guidelines/web_security#https">Web Security Guidelines: HTTPS</a>.
</li>
</references>
</qhelp>

13
rust/ql/src/queries/security/CWE-295/DisabledCertificateCheckBad.rs Normal file
View File

@@ -0,0 +1,13 @@
// BAD: Disabling certificate validation in Rust
// Using native_tls
let _client = native_tls::TlsConnector::builder()
.danger_accept_invalid_certs(true) // disables certificate validation
.build()
.unwrap();
// Using reqwest
let _client = reqwest::Client::builder()
.danger_accept_invalid_certs(true) // disables certificate validation
.build()
.unwrap();

18
rust/ql/src/queries/security/CWE-295/DisabledCertificateCheckGood.rs Normal file
View File

@@ -0,0 +1,18 @@
// GOOD: Certificate validation is enabled (default)
// Using native_tls
let _client = native_tls::TlsConnector::builder()
.danger_accept_invalid_certs(false) // certificate validation enabled
.build()
.unwrap();
// Using reqwest
let _client = reqwest::Client::builder()
.danger_accept_invalid_certs(false) // certificate validation enabled
.build()
.unwrap();
// Or simply use the default builder (safe)
let _client = native_tls::TlsConnector::builder()
.build()
.unwrap();