+
+
+ Disabling verification of the SSL certificate allows man-in-the-middle attacks. A SSL
+ connection is vulnerable to man-in-the-middle attacks if the certification is not checked
+ properly. If the peer or the host's certificate verification is not verified, the underlying
+ SSL communication is insecure.
+
+
+ It is recommended that all communications be done post verification of the host as well as
+ the
+ peer.
+
+
+ The following snippet disables certification verification by setting the value of
+ CURLOPT_SSL_VERIFYHOST
and CURLOPT_SSL_VERIFYHOST
to 0
:
+
+ This is bad as the certificates are not verified any more. This can be easily fixed by
+ setting the values of the options to 2
.
+
+
+
+ Curl Documentation:
+ CURLOPT_SSL_VERIFYHOST
+ Curl Documentation:
+ CURLOPT_SSL_VERIFYPEER
+ Related CVE: CVE-2022-33684
+ Related security advisory:
+ openframeworks/openframeworks
+
+
+
\ No newline at end of file
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
new file mode 100644
index 000000000000..f6cdaf3e9fca
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
@@ -0,0 +1,39 @@
+/**
+ * @name Disabled certifcate verification
+ * @description Disabling SSL certificate verification of host or peer could expose the communication to man-in-the-middle(MITM) attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/curl-disabled-ssl
+ * @tags security
+ * external/cwe/cwe-295
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.TaintTracking
+
+/** Models the `curl_easy_setopt` function call */
+private class CurlSetOptCall extends FunctionCall {
+ CurlSetOptCall() {
+ exists(FunctionCall fc, Function f |
+ f.hasGlobalOrStdName("curl_easy_setopt") and
+ fc.getTarget() = f
+ |
+ this = fc
+ )
+ }
+}
+
+/** Models an access to any enum constant which could affect SSL verification */
+private class CurlVerificationConstant extends EnumConstantAccess {
+ CurlVerificationConstant() {
+ exists(EnumConstant e | e.getName() = ["CURLOPT_SSL_VERIFYHOST", "CURLOPT_SSL_VERIFYPEER"] |
+ e.getAnAccess() = this
+ )
+ }
+}
+
+from CurlSetOptCall c
+where
+ c.getArgument(1) = any(CurlVerificationConstant v) and
+ c.getArgument(2).getValue() = "0"
+select c, "This call disables Secure Socket Layer and could potentially lead to MITM attacks"
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLBad.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLBad.cpp
new file mode 100644
index 000000000000..a09e490d73b3
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLBad.cpp
@@ -0,0 +1,9 @@
+string host = "codeql.com"
+void bad(void) {
+ std::unique_ptr