Skip to content

Commit c986e71

Browse files
ESS-ENNESS-ENN
committed
ssl-verify-none-rust
1 parent a7db225 commit c986e71

File tree

3 files changed

+203
-0
lines changed

3 files changed

+203
-0
lines changed

rules/rust/security/ssl-verify-none-rust.yml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
id: ssl-verify-none-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
SSL verification disabled, this allows for MitM attacks
6+
note: >-
7+
[CWE-295]: Improper Certificate Validation
8+
[REFERENCES]
9+
- https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify
10+
11+
rule:
12+
kind: call_expression
13+
any:
14+
- pattern: $BUILDER.set_verify(open::ssl::SSL_VERIFY_NONE)
15+
inside:
16+
stopBy: end
17+
kind: source_file
18+
has:
19+
kind: use_declaration
20+
any:
21+
- pattern: use openssl;
22+
- pattern: use openssl::ssl;
23+
- pattern: use openssl::ssl::SSL_VERIFY_NONE;
24+
- has:
25+
stopBy: end
26+
kind: use_list
27+
has:
28+
stopBy: end
29+
kind: identifier
30+
pattern: SSL_VERIFY_NONE
31+
- pattern: $BUILDER.set_verify(ssl::SSL_VERIFY_NONE)
32+
inside:
33+
stopBy: end
34+
kind: source_file
35+
has:
36+
kind: use_declaration
37+
any:
38+
- pattern: use openssl::ssl;
39+
- pattern: use openssl::ssl::SSL_VERIFY_NONE;
40+
- has:
41+
stopBy: end
42+
kind: use_list
43+
has:
44+
stopBy: end
45+
kind: identifier
46+
pattern: SSL_VERIFY_NONE
47+
- pattern: $BUILDER.set_verify(SSL_VERIFY_NONE)
48+
inside:
49+
stopBy: end
50+
kind: source_file
51+
has:
52+
kind: use_declaration
53+
any:
54+
- pattern: use openssl;
55+
- pattern: use openssl::ssl;
56+
- pattern: use openssl::ssl::SSL_VERIFY_NONE;
57+
- has:
58+
stopBy: end
59+
kind: use_list
60+
has:
61+
stopBy: end
62+
kind: identifier
63+
pattern: SSL_VERIFY_NONE
64+
- pattern: $BUILDER.set_verify($ALIAS)
65+
inside:
66+
stopBy: end
67+
kind: source_file
68+
has:
69+
kind: use_declaration
70+
any:
71+
- pattern: use openssl::ssl::SSL_VERIFY_NONE as $ALIAS;
72+
- has:
73+
stopBy: end
74+
kind: use_list
75+
has:
76+
stopBy: end
77+
kind: use_as_clause
78+
all:
79+
- has:
80+
kind: identifier
81+
field: path
82+
pattern: SSL_VERIFY_NONE
83+
- has:
84+
kind: identifier
85+
field: alias
86+
pattern: $ALIAS
87+
- pattern: $BUILDER.set_verify(open::ssl::SSL_VERIFY_NONE);

tests/__snapshots__/ssl-verify-none-rust-snapshot.yml

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
id: ssl-verify-none-rust
2+
snapshots:
3+
? "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n};\nconnector.builder_mut().set_verify(NoVerify);\n"
4+
: labels:
5+
- source: connector.builder_mut().set_verify(NoVerify)
6+
style: primary
7+
start: 91
8+
end: 135
9+
- source: SSL_VERIFY_NONE
10+
style: secondary
11+
start: 60
12+
end: 75
13+
- source: NoVerify
14+
style: secondary
15+
start: 79
16+
end: 87
17+
- source: SSL_VERIFY_NONE as NoVerify
18+
style: secondary
19+
start: 60
20+
end: 87
21+
- source: "{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n}"
22+
style: secondary
23+
start: 18
24+
end: 89
25+
- source: "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n};"
26+
style: secondary
27+
start: 0
28+
end: 90
29+
- source: "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n};\nconnector.builder_mut().set_verify(NoVerify);\n"
30+
style: secondary
31+
start: 0
32+
end: 137
33+
? |
34+
use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE};
35+
connector.builder_mut().set_verify(SSL_VERIFY_NONE);
36+
: labels:
37+
- source: connector.builder_mut().set_verify(SSL_VERIFY_NONE)
38+
style: primary
39+
start: 69
40+
end: 120
41+
- source: SSL_VERIFY_NONE
42+
style: secondary
43+
start: 51
44+
end: 66
45+
- source: '{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}'
46+
style: secondary
47+
start: 18
48+
end: 67
49+
- source: use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE};
50+
style: secondary
51+
start: 0
52+
end: 68
53+
- source: |
54+
use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE};
55+
connector.builder_mut().set_verify(SSL_VERIFY_NONE);
56+
style: secondary
57+
start: 0
58+
end: 122
59+
? |
60+
use openssl::ssl;
61+
connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE);
62+
: labels:
63+
- source: connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE)
64+
style: primary
65+
start: 18
66+
end: 74
67+
- source: use openssl::ssl;
68+
style: secondary
69+
start: 0
70+
end: 17
71+
- source: |
72+
use openssl::ssl;
73+
connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE);
74+
style: secondary
75+
start: 0
76+
end: 76
77+
? |
78+
use openssl;
79+
connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE);
80+
: labels:
81+
- source: connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE)
82+
style: primary
83+
start: 13
84+
end: 75
85+
- source: use openssl;
86+
style: secondary
87+
start: 0
88+
end: 12
89+
- source: |
90+
use openssl;
91+
connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE);
92+
style: secondary
93+
start: 0
94+
end: 77

tests/rust/ssl-verify-none-rust-test.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: ssl-verify-none-rust
2+
valid:
3+
- |
4+
use openssl::ssl::SSL_VERIFY_NONE;
5+
connector.builder_mut().set_verify(SSL_VERIFY_PEER);
6+
invalid:
7+
- |
8+
use openssl;
9+
connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE);
10+
- |
11+
use openssl::ssl;
12+
connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE);
13+
- |
14+
use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE};
15+
connector.builder_mut().set_verify(SSL_VERIFY_NONE);
16+
- |
17+
use openssl::ssl::{
18+
SslMethod,
19+
SslConnectorBuilder,
20+
SSL_VERIFY_NONE as NoVerify
21+
};
22+
connector.builder_mut().set_verify(NoVerify);

0 commit comments

Comments
 (0)