problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
semgrep
Author
2,383
Download Count*
License
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.
Run Locally
Run in CI
Defintion
rules:
- id: bypass-tls-verification
message: Checks for setting the environment variable
NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This
should only be used for debugging purposes. Setting the option
rejectUnauthorized to false bypasses verification against the list of
trusted CAs, which also leads to insecure transport. These options lead to
vulnerability to MTM attacks, and should not be used.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://nodejs.org/api/https.html#https_https_request_options_callback
- https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100
subcategory:
- vuln
technology:
- node.js
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- javascript
- typescript
pattern-either:
- pattern: |
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
- pattern: |
{rejectUnauthorized:false}
Examples
bypass-tls-verification.js
function bad_tls1() {
// ruleid: bypass-tls-verification
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
}
function bad_tls2() {
// ruleid: bypass-tls-verification
var req = https.request({
host: '192.168.1.1',
port: 443,
path: '/',
method: 'GET',
rejectUnauthorized: false,
requestCert: true,
agent: false
});
// ruleid: bypass-tls-verification
var object = {
host: '192.168.1.1',
port: 443,
path: '/',
method: 'GET',
rejectUnauthorized: false,
requestCert: true,
agent: false
};
var req = https.request(object);
// ruleid: bypass-tls-verification
var client = new RpcClient({
user: 'user',
pass: 'pass',
host: 'localhost',
port: 8332,
rejectUnauthorized: false,
disableAgent: true
});
}
// ruleid: bypass-tls-verification
require('request').defaults({method: 'GET', rejectUnauthorized: false, requestCert: true})
var requestvar = require('request');
console.log("hello!");
// ruleid: bypass-tls-verification
requestvar.defaults({method: 'GET', rejectUnauthorized: false, requestCert: true});
function ok_tls1() {
// ok: bypass-tls-verification
var req = https.request({
host: '192.168.1.1',
port: 443,
path: '/',
method: 'GET',
rejectUnauthorized: true,
requestCert: true,
agent: false
});
}
function ok_tls2() {
// ok: bypass-tls-verification
var req = https.request({
host: '192.168.1.1',
port: 443,
path: '/',
method: 'GET',
requestCert: true,
agent: false
});
}
Short Link: https://sg.run/9oxr