problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2
semgrep
Author
2,021
Download Count*
License
Detects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: disallow-old-tls-versions2
message: Detects creations of $HTTPS servers from option objects that don't
disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to
POODLE, man in the middle attacks, and other vulnerabilities.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://us-cert.cisa.gov/ncas/alerts/TA14-290A
- https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs
- https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
subcategory:
- vuln
technology:
- node.js
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- javascript
- typescript
patterns:
- pattern-either:
- pattern-inside: |
$CONST = require('crypto');
...
- pattern-inside: |
$CONST = require('constants');
...
- pattern-inside: |
$HTTPS = require('https');
...
- pattern: |
$OPTIONS = {};
...
$HTTPS.createServer($OPTIONS, ...);
- pattern-not: >
$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_TLSv1 |
$CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_SSLv2};
...
$HTTPS.createServer($OPTIONS, ...);
- pattern-not: >
$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_TLSv1 |
$CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_SSLv3};
...
$HTTPS.createServer($OPTIONS, ...);
- pattern-not: >
$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv2 |
$CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv3};
...
$HTTPS.createServer($OPTIONS, ...);
- pattern-not: >
$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv2 |
$CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_TLSv1};
...
$HTTPS.createServer($OPTIONS, ...);
- pattern-not: >
$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv3 |
$CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_TLSv1};
...
$HTTPS.createServer($OPTIONS, ...);
- pattern-not: >
$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv3 |
$CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv2};
...
$HTTPS.createServer($OPTIONS, ...);
Examples
disallow-old-tls-versions2.js
const https = require('https');
function ok1() {
var constants = require('crypto');
// ok: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_SSLv3
};
https.createServer(sslOptions);
}
function ok2() {
var constants = require('crypto');
// ok: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
};
https.createServer(sslOptions);
}
function ok3() {
var constants = require('crypto');
// ok: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3
};
https.createServer(sslOptions);
}
function ok4() {
var constants = require('constants');
// ok: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3
};
https.createServer(sslOptions);
}
function bad1() {
var constants = require('crypto');
// ruleid: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3
};
https.createServer(sslOptions);
}
function bad2() {
var constants = require('crypto');
// ruleid: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
secureOptions: constants.SSL_OP_NO_SSLv2
};
https.createServer(sslOptions);
}
function bad3() {
var constants = require('crypto');
// ruleid: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
};
https.createServer(sslOptions);
}
function bad4() {
var constants = require('constants');
// ruleid: disallow-old-tls-versions2
var sslOptions = {
key: fs.readFileSync('/etc/ssl/private/private.key'),
secureProtocol: 'SSLv23_server_method',
};
https.createServer(sslOptions);
}
Short Link: https://sg.run/rdKe