javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation
semgrep
Author
4,562
Download Count*
License
Set "rejectUnauthorized" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. "rejectUnauthorized" option must be alway set to True (default value). With self -signed certificate or custom CA, use "ca" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
Run Locally
Run in CI
Defintion
rules:
- id: sequelize-tls-disabled-cert-validation
message: Set "rejectUnauthorized" to false is a convenient way to resolve
certificate error. But this method is unsafe because it disables the
server certificate verification, making the Node app open to MITM attack.
"rejectUnauthorized" option must be alway set to True (default value).
With self -signed certificate or custom CA, use "ca" option to define Root
Certificate. This rule checks TLS configuration only for Postgresql,
MariaDB and MySQL. SQLite is not really concerned by TLS configuration.
This rule could be extended for MSSQL, but the dialectOptions is specific
for Tedious.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
references:
- https://node-postgres.com/features/ssl
- https://nodejs.org/api/tls.html#tls_class_tls_tlssocket
- https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
category: security
technology:
- sequelize
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: ERROR
patterns:
- pattern: |
{
host: $HOST,
database: $DATABASE,
dialect: $DIALECT,
dialectOptions: {
ssl: {
rejectUnauthorized: false
}
}
}
- metavariable-regex:
metavariable: $DIALECT
regex: "['\"](mariadb|mysql|postgres)['\"]"
Examples
sequelize-tls-disabled-cert-validation.js
// Example for mysql
module.exports = {
// ruleid: sequelize-tls-disabled-cert-validation
dev: {
username: "0xdbe",
database: "app_db",
dialect: "mariadb",
host: "127.0.0.1",
dialectOptions: {
ssl: {
rejectUnauthorized: false
}
}
}
};
// Example for mysql
module.exports = {
// ruleid: sequelize-tls-disabled-cert-validation
dev: {
username: "0xdbe",
database: "app_db",
dialect: "mysql",
host: "127.0.0.1",
dialectOptions: {
ssl: {
rejectUnauthorized: false
}
}
}
};
// Example for postgresql
module.exports = {
// ruleid: sequelize-tls-disabled-cert-validation
dev: {
username: "0xdbe",
database: "app_db",
dialect: "postgres",
host: "127.0.0.1",
dialectOptions: {
ssl: {
rejectUnauthorized: false
}
}
}
};
// Example for postgresql
module.exports = {
// ok: sequelize-tls-disabled-cert-validation
dev: {
username: "0xdbe",
database: "app_db",
dialect: "postgres",
host: "127.0.0.1",
}
};
Short Link: https://sg.run/rAkj