rust.lang.security.ssl-verify-none.ssl-verify-none
semgrepAuthor
unknown
Download Count*
License
SSL verification disabled, this allows for MitM attacks
Run Locally
Run in CI
Defintion
rules:
- id: ssl-verify-none
message: SSL verification disabled, this allows for MitM attacks
pattern: $BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE)
metadata:
references:
- https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify
technology:
- openssl
category: security
cwe: "CWE-295: Improper Certificate Validation"
confidence: HIGH
likelihood: LOW
impact: MEDIUM
subcategory: vuln
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- rust
severity: WARNING
Examples
ssl-verify-none.rs
use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE};
let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
// ruleid: ssl-verify-none
connector.builder_mut().set_verify(SSL_VERIFY_NONE);
// ok: ssl-verify-none
connector.builder_mut().set_verify(SSL_VERIFY_PEER);
let openssl = OpenSsl::from(connector.build());
Short Link: https://sg.run/K2Pn