php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off

profile photo of semgrepsemgrep
Author
176
Download Count*
LGPL Commons Clause
License

SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: curl-ssl-verifypeer-off
    patterns:
      - pattern-either:
          - pattern: |
              $ARG = $IS_VERIFIED;
              ...
              curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $ARG);
          - pattern: curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $IS_VERIFIED)
      - metavariable-regex:
          metavariable: $IS_VERIFIED
          regex: 0|false|null
    message: SSL verification is disabled but should not be (currently
      CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/
      category: security
      technology:
        - php
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - php
    severity: ERROR

Examples

curl-ssl-verifypeer-off.php

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "http://www.example.com/");
curl_setopt($ch, CURLOPT_HEADER, 0);

// ruleid: curl-ssl-verifypeer-off
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// ok: curl-ssl-verifypeer-off
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);