ajinabraham.njsscan.database.sequelize_tls_validation.sequelize_tls_cert_validation
ajinabraham
Author
unknown
Download Count*
License
The Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.
Run Locally
Run in CI
Defintion
rules:
- id: sequelize_tls_cert_validation
message: >
The Sequelize connection string indicates that TLS certificate vailidation
of database server is disabled. This is equivalent to not having TLS. An
attacker can present any invalid certificate and Sequelize will make
database connection ignoring certificate errors. This setting make the
connection susceptible to man in the middle (MITM) attacks. Not applicable
to SQLite database.
severity: ERROR
languages:
- javascript
metadata:
owasp-web: a6
cwe: cwe-295
license: LGPL-3.0-or-later
vulnerability_class:
- Other
patterns:
- pattern: |
{
host: $HOST,
database: $DATABASE,
dialect: $DIALECT,
dialectOptions: {
ssl: {
rejectUnauthorized: false
}
}
}
- metavariable-regex:
metavariable: $DIALECT
regex: "['\"](mariadb|mysql|postgres)['\"]"
Short Link: https://sg.run/lAQ9