problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification
semgrepAuthor
6,272
Download Count*
License
Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.
Run Locally
Run in CI
Defintion
rules:
- id: bypass-tls-verification
message: Checks for redefinitions of functions that check TLS/SSL certificate
verification. This can lead to vulnerabilities, as simple errors in the
code can result in lack of proper certificate validation. This should only
be used for debugging purposes because it leads to vulnerability to MTM
attacks.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate
- https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1
subcategory:
- vuln
technology:
- spring
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
pattern-either:
- pattern: |
new HostnameVerifier() {
...
public boolean verify(String hostname, SSLSession session) {
...
}
...
};
- pattern: >
public RestTemplate restTemplate() throws KeyStoreException,
NoSuchAlgorithmException, KeyManagementException {
...
TrustStrategy $FUNCNAME = (X509Certificate[] chain, String authType) -> ...;
...
}
- pattern: >
TrustStrategy $FUNCNAME= new TrustStrategy() {
...
public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
...
}
...
};
Examples
bypass-tls-verification.java
public class Bad {
public void bad1() {
// ruleid: bypass-tls-verification
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
}
// ruleid: bypass-tls-verification
public RestTemplate restTemplate()
throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(csf)
.build();
HttpComponentsClientHttpRequestFactory requestFactory =
new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;
}
public RestTemplate getRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
// ruleid: bypass-tls-verification
TrustStrategy acceptingTrustStrategy = new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
return true;
}
};
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier());
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;
}
}
Short Link: https://sg.run/W822