trailofbits.yaml.ansible.apt-key-validate-certs-disabled.apt-key-validate-certs-disabled
trailofbits
Author
unknown
Download Count*
License
Found apt key with SSL verification disabled
Run Locally
Run in CI
Defintion
rules:
- id: apt-key-validate-certs-disabled
message: Found apt key with SSL verification disabled
languages:
- yaml
severity: WARNING
metadata:
category: security
cwe: "CWE-295: Improper Certificate Validation"
subcategory:
- audit
technology:
- ansible
- apt
confidence: HIGH
likelihood: HIGH
impact: HIGH
references:
- https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html#parameter-validate_certs
license: AGPL-3.0 license
vulnerability_class:
- Improper Authentication
patterns:
- pattern-inside: |
$APTKEY:
...
url: ...
...
- metavariable-pattern:
metavariable: $APTKEY
pattern-either:
- pattern: apt_key
- pattern: ansible.builtin.apt_key
- pattern: "$KEY: $VALUE"
- metavariable-pattern:
metavariable: $KEY
pattern-either:
- pattern: validate_certs
- metavariable-pattern:
metavariable: $VALUE
pattern-either:
- pattern: "false"
Examples
apt-key-validate-certs-disabled.test.yaml
---
# making sure it goes through all false values mentioned in https://yaml.org/type/bool.html ...
- name: Semgrep tests
hosts: all
tasks:
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: off
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: Off
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: OFF
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: false
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: False
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: FALSE
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: N
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: n
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: no
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: No
- name: Positive test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ruleid: apt-key-validate-certs-disabled
validate_certs: NO
- name: Negative test
ansible.builtin.apt_key:
# ok: apt-key-validate-certs-disabled
url: https://example.com/example-key.asc
state: present
- name: Negative test
ansible.builtin.apt_key:
url: https://example.com/example-key.asc
state: present
# ok: apt-key-validate-certs-disabled
validate_certs: true
Short Link: https://sg.run/bwPnP