rust.lang.security.ssl-verify-none.ssl-verify-none

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

SSL verification disabled, this allows for MitM attacks

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ssl-verify-none
    message: SSL verification disabled, this allows for MitM attacks
    pattern: $BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE)
    metadata:
      references:
        - https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify
      technology:
        - openssl
      category: security
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: HIGH
      likelihood: LOW
      impact: MEDIUM
      subcategory: vuln
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - rust
    severity: WARNING

Examples

ssl-verify-none.rs

use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE};

let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();

// ruleid: ssl-verify-none
connector.builder_mut().set_verify(SSL_VERIFY_NONE);

// ok: ssl-verify-none
connector.builder_mut().set_verify(SSL_VERIFY_PEER);

let openssl = OpenSsl::from(connector.build());