trailofbits.generic.wget-no-check-certificate.wget-no-check-certificate

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Found wget command disabling SSL verification

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: wget-no-check-certificate
    message: Found `wget` command disabling SSL verification
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://linux.die.net/man/1/wget
      license: AGPL-3.0 license
      vulnerability_class:
        - Improper Authentication
    pattern-either:
      - pattern: wget ... --no-check-certificate
      - pattern: wget ... --no-hsts

Examples

wget-no-check-certificate.sh

#!/bin/bash

# ruleid: wget-no-check-certificate
wget --no-check-certificate https://google.com

# ruleid: wget-no-check-certificate
wget --no-hsts https://google.com

# ok: wget-no-check-certificate
wget https://google.com