ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
97,918
Download Count*

Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.

Run Locally

Run in CI

Defintion

rules:
  - id: ssl-mode-no-verify
    pattern: OpenSSL::SSL::VERIFY_NONE
    message: Detected SSL that will accept an unverified connection. This makes the
      connections susceptible to man-in-the-middle attacks. Use
      'OpenSSL::SSL::VERIFY_PEER' instead.
    fix-regex:
      regex: VERIFY_NONE
      replacement: VERIFY_PEER
    severity: WARNING
    languages:
      - ruby
    metadata:
      cwe:
        - "CWE-295: Improper Certificate Validation"
      category: security
      technology:
        - ruby
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

ssl-mode-no-verify.rb

# cf. https://github.com/presidentbeef/brakeman/blob/v3.6.2/docs/warning_types/ssl_verification_bypass/index.markdown 

require "net/https"
require "uri"

uri = URI.parse("https://ssl-site.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# ruleid:ssl-mode-no-verify
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(uri.request_uri)

http.verify_mode = OpenSSL::SSL::VERIFY_PEER

response = http.request(request)

# ok:ssl-mode-no-verify
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)