Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CPP: Disabled SSL certificate verification #16811

Merged
merged 4 commits into from
Sep 19, 2024
Merged

CPP: Disabled SSL certificate verification #16811

merged 4 commits into from
Sep 19, 2024
+137 −0

Conversation

porcupineyhairs
Copy link
Contributor

Disable SSL certificate verification can expose the communication to MITM attacks.

This PR adds a query to detect the same. This also include the tests and qhelp for the same.

@porcupineyhairs
CPP: Disabled SSL certificate verification
a7cdf0e 
Disable SSL certificate verification can expose the communication to MITM attacks.

This PR adds a query to detect the same. This also include the tests and qhelp for the same.
@porcupineyhairs porcupineyhairs requested a review from a team as a code owner June 23, 2024 09:17
@porcupineyhairs porcupineyhairs mentioned this pull request Jun 23, 2024
Open
2 tasks
@ghsecuritylab
Copy link
Collaborator

Hello porcupineyhairs 👋
You have submitted this pull request as a bug bounty report in the github/securitylab repository and therefore this pull request has been put into draft state to give time for the GitHub Security Lab to assess the PR. When GitHub Security Lab has finished assessing your pull request, it will be marked automatically as Ready for review. Until then, please don't change the draft state.

In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.

  • the submission models widely-used frameworks/libraries
  • the vulnerability modeled in the submission is impactful
  • the submission finds new true positive vulnerabilities
  • the submission finds very few false positives
  • code in the submission is easy to read and will be easy to maintain
  • documentation is written clearly, highlighting the impact of the issue it finds and is written without grammatical or other errors. The code samples clearly show the vulnerability
  • the submission includes tests, change note etc.

Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission.

Happy hacking!

@ghsecuritylab ghsecuritylab marked this pull request as draft June 24, 2024 00:10
@ghsecuritylab ghsecuritylab marked this pull request as ready for review July 1, 2024 11:20
geoffw0
geoffw0 reviewed Sep 2, 2024
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query looks good to me - just a few suggestions around the docs and test (the docs don't need to be perfect for experimental though). I also found some results in the wild, and all of those results looked great!

cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp Outdated Show resolved Hide resolved
cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp Outdated Show resolved Hide resolved
cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp Outdated Show resolved Hide resolved
cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp Outdated Show resolved Hide resolved
cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLBad.cpp Outdated Show resolved Hide resolved
cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLGood.cpp Outdated Show resolved Hide resolved
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp Outdated Show resolved Hide resolved
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/options Outdated Show resolved Hide resolved
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref Show resolved Hide resolved
@porcupineyhairs
Copy link
Contributor Author

@geoffw0 I have included the changes from the review. However, for some reason, the tests don't work anymore. I am unable to diagnose what's wrong here. Can you please take a look?

@porcupineyhairs
Copy link
Contributor Author

@geoffw0 Changes done!

geoffw0
geoffw0 previously approved these changes Sep 19, 2024
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. We can merge this when the CI checks pass.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 19, 2024
edited
Loading

QHelp previews:

cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp

Disabled certifcate verification

Disabling verification of the SSL certificate allows man-in-the-middle attacks. A SSL connection is vulnerable to man-in-the-middle attacks if the certification is not checked properly. If the peer or the host's certificate verification is not verified, the underlying SSL communication is insecure.

Recommendation

It is recommended that all communications be done post verification of the host as well as the peer.

Example

The following snippet disables certification verification by setting the value of CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYHOST to 0:

string host = "codeql.com"
void bad(void) {
	std::unique_ptr<CURL, void(*)(CURL*)> curl =
		std::unique_ptr<CURL, void(*)(CURL*)>(curl_easy_init(), curl_easy_cleanup);
	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); 
  	curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());
  	curl_easy_perform(curl.get());
}

This is bad as the certificates are not verified any more. This can be easily fixed by setting the values of the options to 2.

string host = "codeql.com"
void good(void) {
	std::unique_ptr<CURL, void(*)(CURL*)> curl =
		std::unique_ptr<CURL, void(*)(CURL*)>(curl_easy_init(), curl_easy_cleanup);
	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);
	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2); 
  	curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());
  	curl_easy_perform(curl.get());
}

References

@geoffw0
Copy link
Contributor

geoffw0 commented Sep 19, 2024

Looks like you need to:

  • autoformat CurlSSL.ql
  • fix the qhelp; I think you're just missing <p> / </p> tags around your text blocks.

Let me know if you need any help with these things.

@porcupineyhairs
Copy link
Contributor Author

@geoffw0 Changes done. PTAL.

geoffw0
geoffw0 approved these changes Sep 19, 2024
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍

@jketema jketema merged commit a065434 into github:main Sep 19, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoffw0 geoffw0 geoffw0 approved these changes

Assignees
No one assigned
Labels
C++ documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@porcupineyhairs @ghsecuritylab @geoffw0 @jketema