trailofbits.jvm.mongo-hostname-verification-disabled.mongo-hostname-verification-disabled
trailofbits
Author
unknown
Download Count*
License
Found MongoDB client with SSL hostname verification disabled
Run Locally
Run in CI
Defintion
rules:
- id: mongo-hostname-verification-disabled
message: Found MongoDB client with SSL hostname verification disabled
languages:
- java
- kotlin
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- java
- kotlin
- mongodb
cwe: "CWE-295: Improper Certificate Validation"
confidence: HIGH
likelihood: HIGH
impact: HIGH
references:
- https://www.mongodb.com/docs/drivers/java/sync/current/fundamentals/connection/tls/#disable-hostname-verification
license: AGPL-3.0 license
vulnerability_class:
- Improper Authentication
pattern: $SETTINGS.invalidHostNameAllowed(true)
Examples
mongo-hostname-verification-disabled.java
package test
import com.mongodb.MongoClientSettings
import com.mongodb.MongoClients
class HelloWorld {
public static void main(String[] args) {
MongoClientSettings settings = MongoClientSettings.builder()
.applyToSslSettings(builder -> {
builder.enabled(true);
// ruleid: mongo-hostname-verification-disabled
builder.invalidHostNameAllowed(true);
})
.build();
MongoClientSettings settings = MongoClientSettings.builder()
.applyToSslSettings(builder -> {
// ok: mongo-hostname-verification-disabled
builder.enabled(true);
})
.build();
}
}
mongo-hostname-verification-disabled.kt
package test
import com.mongodb.MongoClientSettings
import com.mongodb.MongoClients
fun main() {
val mongoClient = MongoClient.create(
MongoClientSettings.builder()
.applyConnectionString(ConnectionString("<your connection string>"))
.applyToSslSettings{ builder ->
builder.enabled(true)
// ruleid: mongo-hostname-verification-disabled
builder.invalidHostNameAllowed(true);
}
.build()
)
val mongoClient = MongoClient.create(
MongoClientSettings.builder()
.applyConnectionString(ConnectionString("<your connection string>"))
.applyToSslSettings{ builder ->
// ok: mongo-hostname-verification-disabled
builder.enabled(true)
}
.build()
)
}
Short Link: https://sg.run/yyLqk