go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
124,504
Download Count*

Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-ssh-insecure-ignore-host-key
    message: Disabled host key verification detected. This allows man-in-the-middle
      attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host
      key verification. See
      https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to
      learn more about the problem and how to fix it.
    metadata:
      cwe: "CWE-322: Key Exchange without Entity Authentication"
      owasp: "A3: Sensitive Data Exposure"
      source-rule-url: https://github.com/securego/gosec
      references:
        - https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/
        - https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d
      category: security
      technology:
        - go
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: WARNING
    pattern: ssh.InsecureIgnoreHostKey()

Examples

insecure_ssh.go

package main

import (
	"golang.org/x/crypto/ssh"
)

func ok() {
	var publicKey *rsa.PublicKey

	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return nil, nil, err
	}
	publicKey = &privateKey.PublicKey
	hostKey, _ := ssh.NewPublicKey(publicKey)
	// ok: avoid-ssh-insecure-ignore-host-key
	_ = ssh.FixedHostKey(hostKey);
}

func main() {
	// ruleid: avoid-ssh-insecure-ignore-host-key
	_ = ssh.InsecureIgnoreHostKey()
}