ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify
Verifed by r2c
Community Favorite
semgrepAuthor
97,918
Download Count*
License
Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.
Run Locally
Run in CI
Defintion
rules:
- id: ssl-mode-no-verify
pattern: OpenSSL::SSL::VERIFY_NONE
message: Detected SSL that will accept an unverified connection. This makes the
connections susceptible to man-in-the-middle attacks. Use
'OpenSSL::SSL::VERIFY_PEER' instead.
fix-regex:
regex: VERIFY_NONE
replacement: VERIFY_PEER
severity: WARNING
languages:
- ruby
metadata:
cwe:
- "CWE-295: Improper Certificate Validation"
category: security
technology:
- ruby
owasp:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
Examples
ssl-mode-no-verify.rb
# cf. https://github.com/presidentbeef/brakeman/blob/v3.6.2/docs/warning_types/ssl_verification_bypass/index.markdown
require "net/https"
require "uri"
uri = URI.parse("https://ssl-site.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# ruleid:ssl-mode-no-verify
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(uri.request_uri)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = http.request(request)
# ok:ssl-mode-no-verify
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
Short Link: https://sg.run/kLxX