ruby.lang.security.force-ssl-false.force-ssl-false

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
97,918
Download Count*

Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.

Run Locally

Run in CI

Defintion

rules:
  - id: force-ssl-false
    message: Checks for configuration setting of force_ssl to false. Force_ssl
      forces usage of HTTPS, which could lead to network interception of
      unencrypted application traffic. To fix, set config.force_ssl = true.
    metadata:
      cwe:
        - "CWE-311: Missing Encryption of Sensitive Data"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb
      category: security
      technology:
        - ruby
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A04:2021 - Insecure Design
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby
    severity: WARNING
    pattern: config.force_ssl = false
    fix-regex:
      regex: =\s*false
      replacement: = true

Examples

force-ssl-false.rb

 def bad_ssl
    # ruleid: force-ssl-false
    config.force_ssl = false
 end

 def ok_ssl
    # ok: force-ssl-false
    config.force_ssl = true
 end