contrib.nodejsscan.tls_node.node_tls_reject
returntocorpAuthor
99
Download Count*
License
Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
Run Locally
Run in CI
Defintion
rules:
- id: node_tls_reject
patterns:
- pattern-either:
- pattern: |
$X.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
- pattern: |
$X.env['NODE_TLS_REJECT_UNAUTHORIZED']= '0'
message: Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to
accept self signed certificates and is not a secure behaviour.
languages:
- javascript
severity: ERROR
metadata:
owasp: A06:2017 - Security Misconfiguration
cwe: "CWE-295: Improper Certificate Validation"
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
tls_node.js
var request = require('request');
var use_key = 'e0ee2bc6d1979f49c6437e27b06a0101';
//corresponding function for each api call to tortuga gateway, allows easy calling and can store user key
module.exports = {
'status': function (callback) {
// ruleid:node_tls_reject
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
request.get('https://dev.app.idt.net/v1/status?user_key=' + use_key, function (err, response, body) {
if (err) callback(err);
var status = JSON.parse(body);
callback(err, status);
})
},
'fund': function (json, callback) {
// ruleid:node_tls_reject
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
request.post({
uri: 'https://dev.app.idt.net/v1/charges?user_key=' + use_key,
json: json,
method: 'POST'
},
function (err, response, body) {
if (err) callback(err);
callback(err, response);
})
},
}
var http = require('http');
var curl = require('node-curl');
http.createServer(function (request, response) {
var url = 'https://url';
url += request.url;
console.log(url);
// ruleid:node_curl_ssl_verify_disable
curl(url,
{
SSL_VERIFYPEER: 0
},
function (err) {
response.end(this.body);
})
}).listen(8000);
Short Link: https://sg.run/1ZW5