problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification

profile photo of semgrepsemgrep
Author
2,383
Download Count*
LGPL Commons Clause
License

Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: bypass-tls-verification
    message: Checks for setting the environment variable
      NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This
      should only be used for debugging purposes. Setting the option
      rejectUnauthorized to false bypasses verification against the list of
      trusted CAs, which also leads to insecure transport. These options lead to
      vulnerability to MTM attacks, and should not be used.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://nodejs.org/api/https.html#https_https_request_options_callback
        - https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100
      subcategory:
        - vuln
      technology:
        - node.js
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - javascript
      - typescript
    pattern-either:
      - pattern: |
          process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
      - pattern: |
          {rejectUnauthorized:false}

Examples

bypass-tls-verification.js

function bad_tls1() {
    // ruleid: bypass-tls-verification
    process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
}

function bad_tls2() {
    // ruleid: bypass-tls-verification
    var req = https.request({
      host: '192.168.1.1',
      port: 443,
      path: '/',
      method: 'GET',
      rejectUnauthorized: false,
      requestCert: true,
      agent: false
    });

    // ruleid: bypass-tls-verification
    var object = {
      host: '192.168.1.1',
      port: 443,
      path: '/',
      method: 'GET',
      rejectUnauthorized: false,
      requestCert: true,
      agent: false
    };

    var req = https.request(object);

    // ruleid: bypass-tls-verification
    var client = new RpcClient({
      user: 'user',
      pass: 'pass',
      host: 'localhost',
      port: 8332,
      rejectUnauthorized: false,
      disableAgent: true
    });
}

// ruleid: bypass-tls-verification
require('request').defaults({method: 'GET', rejectUnauthorized: false, requestCert: true})

var requestvar = require('request');
console.log("hello!");
// ruleid: bypass-tls-verification
requestvar.defaults({method: 'GET', rejectUnauthorized: false, requestCert: true});

function ok_tls1() {
    // ok: bypass-tls-verification
    var req = https.request({
      host: '192.168.1.1',
      port: 443,
      path: '/',
      method: 'GET',
      rejectUnauthorized: true,
      requestCert: true,
      agent: false
    });
}

function ok_tls2() {
    // ok: bypass-tls-verification
    var req = https.request({
      host: '192.168.1.1',
      port: 443,
      path: '/',
      method: 'GET',
      requestCert: true,
      agent: false
    });
}