trailofbits.jvm.mongo-hostname-verification-disabled.mongo-hostname-verification-disabled

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Found MongoDB client with SSL hostname verification disabled

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mongo-hostname-verification-disabled
    message: Found MongoDB client with SSL hostname verification disabled
    languages:
      - java
      - kotlin
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - java
        - kotlin
        - mongodb
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: HIGH
      likelihood: HIGH
      impact: HIGH
      references:
        - https://www.mongodb.com/docs/drivers/java/sync/current/fundamentals/connection/tls/#disable-hostname-verification
      license: AGPL-3.0 license
      vulnerability_class:
        - Improper Authentication
    pattern: $SETTINGS.invalidHostNameAllowed(true)

Examples

mongo-hostname-verification-disabled.java

package test

import com.mongodb.MongoClientSettings
import com.mongodb.MongoClients

class HelloWorld {
    public static void main(String[] args) {
        MongoClientSettings settings = MongoClientSettings.builder()
            .applyToSslSettings(builder -> {
                builder.enabled(true);
                // ruleid: mongo-hostname-verification-disabled
                builder.invalidHostNameAllowed(true);
            })
            .build();

        MongoClientSettings settings = MongoClientSettings.builder()
            .applyToSslSettings(builder -> {
                // ok: mongo-hostname-verification-disabled
                builder.enabled(true);
            })
            .build();
    }
}

mongo-hostname-verification-disabled.kt

package test

import com.mongodb.MongoClientSettings
import com.mongodb.MongoClients

fun main() {
    val mongoClient = MongoClient.create(
        MongoClientSettings.builder()
            .applyConnectionString(ConnectionString("<your connection string>"))
            .applyToSslSettings{ builder ->
                builder.enabled(true)
                // ruleid: mongo-hostname-verification-disabled
                builder.invalidHostNameAllowed(true);
            }
            .build()
    )

    val mongoClient = MongoClient.create(
        MongoClientSettings.builder()
            .applyConnectionString(ConnectionString("<your connection string>"))
            .applyToSslSettings{ builder ->
                // ok: mongo-hostname-verification-disabled
                builder.enabled(true)
            }
            .build()
    )
}