problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification
semgrepAuthor
6,272
Download Count*
License
Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.
Run Locally
Run in CI
Defintion
rules:
- id: bypass-tls-verification
message: Checks for disabling of TLS/SSL certificate verification. This should
only be used for debugging purposes because it leads to vulnerability to
MTM attacks.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate
subcategory:
- vuln
technology:
- go
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- go
pattern-either:
- pattern: |
tls.Config{..., InsecureSkipVerify: true, ...}
- pattern: |
$CONFIG = &tls.Config{...}
...
$CONFIG.InsecureSkipVerify = true
Examples
bypass-tls-verification.go
package main
import (
"crypto/tls"
"net/http"
"os"
)
func bad1() {
w := os.Stdout
client := &http.Client{
Transport: &http.Transport{
// ruleid: bypass-tls-verification
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
MinVersion: tls.VersionSSL30,
Rand: randSource{},
InsecureSkipVerify: true, // test server certificate is not trusted.
},
},
}
client_good := &http.Client{
Transport: &http.Transport{
// ruleid: bypass-tls-verification
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
// OK
MinVersion: tls.VersionTLS10,
Rand: randSource{},
InsecureSkipVerify: true, // test server certificate is not trusted.
},
},
}
}
func bad2() {
tr := &http.Transport{
// ruleid: bypass-tls-verification
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
func bad3() {
// ruleid: bypass-tls-verification
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
_, err := http.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
func bad4() {
// ruleid: bypass-tls-verification
mTLSConfig := &tls.Config {
}
mTLSConfig.PreferServerCipherSuites = true
mTLSConfig.InsecureSkipVerify = true
}
func ok1() {
w := os.Stdout
client := &http.Client{
Transport: &http.Transport{
// ok: bypass-tls-verification
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
MinVersion: tls.VersionSSL30,
Rand: randSource{},
InsecureSkipVerify: false, // test server certificate is not trusted.
},
},
}
client_good := &http.Client{
Transport: &http.Transport{
// ok: bypass-tls-verification
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
// OK
MinVersion: tls.VersionTLS10,
Rand: randSource{},
},
},
}
}
func ok2() {
tr := &http.Transport{
// ok: bypass-tls-verification
TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
func ok3() {
// ok: bypass-tls-verification
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: false}
_, err := http.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
func ok4() {
// ok: bypass-tls-verification
mTLSConfig := &tls.Config {
}
mTLSConfig.PreferServerCipherSuites = true
mTLSConfig.InsecureSkipVerify = false
}
Short Link: https://sg.run/4xj5