rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Dangerously accepting invalid TLS information

Run Locally

Run in CI

Defintion

rules:
  - id: reqwest-accept-invalid
    message: Dangerously accepting invalid TLS information
    pattern-either:
      - pattern: reqwest::Client::builder(). ... .danger_accept_invalid_hostnames(true)
      - pattern: reqwest::Client::builder(). ... .danger_accept_invalid_certs(true)
    metadata:
      references:
        - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames
        - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs
      technology:
        - reqwest
      category: security
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: HIGH
      likelihood: LOW
      impact: MEDIUM
      subcategory: vuln
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - rust
    severity: WARNING

Examples

reqwest-accept-invalid.rs

use reqwest::header;

// ruleid: reqwest-accept-invalid
let client = reqwest::Client::builder()
    .danger_accept_invalid_hostnames(true)
    .build();

// ruleid: reqwest-accept-invalid
let client = reqwest::Client::builder()
    .danger_accept_invalid_certs(true)
    .build();

// ruleid: reqwest-accept-invalid
let client = reqwest::Client::builder()
    .user_agent("USER AGENT")
    .cookie_store(true)
    .danger_accept_invalid_hostnames(true)
    .build();

// ruleid: reqwest-accept-invalid
let client = reqwest::Client::builder()
    .user_agent("USER AGENT")
    .cookie_store(true)
    .danger_accept_invalid_certs(true)
    .build();

// ok: reqwest-accept-invalid
let client = reqwest::Client::builder()
    .user_agent("USER AGENT")
    .build();