php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off

returntocorp

Author

176

Download Count*

LGPL Commons Clause

License

SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: curl-ssl-verifypeer-off
    patterns:
      - pattern-either:
          - pattern: |
              $ARG = $IS_VERIFIED;
              ...
              curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $ARG);
          - pattern: curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $IS_VERIFIED)
      - metavariable-regex:
          metavariable: $IS_VERIFIED
          regex: 0|false|null
    message: SSL verification is disabled but should not be (currently
      CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/
      category: security
      technology:
        - php
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: ERROR

Examples

curl-ssl-verifypeer-off.php

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "http://www.example.com/");
curl_setopt($ch, CURLOPT_HEADER, 0);

// ruleid: curl-ssl-verifypeer-off
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// ok: curl-ssl-verifypeer-off
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

Short Link: https://sg.run/PJqv