ruby.lang.security.force-ssl-false.force-ssl-false
Verifed by r2c
Community Favorite
semgrep
Author
97,918
Download Count*
License
Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.
Run Locally
Run in CI
Defintion
rules:
- id: force-ssl-false
message: Checks for configuration setting of force_ssl to false. Force_ssl
forces usage of HTTPS, which could lead to network interception of
unencrypted application traffic. To fix, set config.force_ssl = true.
metadata:
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
references:
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb
category: security
technology:
- ruby
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- ruby
severity: WARNING
pattern: config.force_ssl = false
fix-regex:
regex: =\s*false
replacement: = true
Examples
force-ssl-false.rb
def bad_ssl
# ruleid: force-ssl-false
config.force_ssl = false
end
def ok_ssl
# ok: force-ssl-false
config.force_ssl = true
end
Short Link: https://sg.run/YgkW