ajinabraham.njsscan.tls_node.node_tls_reject

profile photo of ajinabrahamajinabraham
Author
1,155
Download Count*
GPLv3
License

Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_tls_reject
    patterns:
      - pattern-either:
          - pattern: |
              $X.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
          - pattern: |
              $X.env['NODE_TLS_REJECT_UNAUTHORIZED']= '0'
    message: Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to
      accept self signed certificates and is not a secure behaviour.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a6
      cwe: cwe-295
      license: LGPL-3.0-or-later