trailofbits.generic.curl-insecure.curl-insecure

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Found curl command disabling SSL verification

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: curl-insecure
    message: Found `curl` command disabling SSL verification
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://curl.se/docs/manpage.html
      license: AGPL-3.0 license
      vulnerability_class:
        - Improper Authentication
    pattern-either:
      - pattern: "curl ... -k "
      - pattern: curl ... --insecure

Examples

curl-insecure.sh

#!/bin/bash

# ruleid: curl-insecure
curl -k https://google.com > /dev/null

# ruleid: curl-insecure
curl --insecure https://google.com > /dev/null

# ok: curl-insecure
curl --ksomeotherflag https://google.com > /dev/null

# ok: curl-insecure
curl https://google.com > /dev/null