Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
This rule mandates that SSL/TLS certificates always be validated. Certificate validation is an essential part of the SSL/TLS protocol that ensures the server you are communicating with is indeed who it claims to be. This prevents man-in-the-middle attacks, where an attacker intercepts and possibly alters the communication between two parties without their knowledge.
Ignoring or bypassing certificate validation severely undermines the security of your application and should be avoided.
To adhere to this rule, always use the system’s default SSLSocketFactory and TrustManager for SSL/TLS connections. These default settings perform certificate validation automatically. Never attempt to bypass or disable certificate validation. If you need to trust a self-signed certificate for testing purposes, add it to a custom trust store and use that instead of bypassing all certificate validation.
Non-Compliant Code Examples
importjavax.net.ssl.*importokhttp3.OkHttpClientimportjava.security.cert.X509Certificateimportjava.security.KeyStoreclassInsecureTlsConfigurations{// Pattern 1: Bypass certificate validation in OkHttpClient
funcreateInsecureOkHttpClient():OkHttpClient{valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()})valsslContext=SSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}returnOkHttpClient.Builder().sslSocketFactory(sslContext.socketFactory,trustAllCerts[0]asX509TrustManager).build()}// Pattern 2: Bypass in HttpsURLConnection
fundisableUrlConnectionValidation(){valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()})valsslContext=SSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)}}
Compliant Code Examples
importjavax.net.ssl.*importokhttp3.OkHttpClientimportjava.security.cert.X509Certificateimportjava.security.KeyStoreclassSecureTlsConfigurations{// Pattern 1: OkHttpClient with proper validation
funcreateSecureOkHttpClient():OkHttpClient{returnOkHttpClient.Builder()// Uses system default SSLSocketFactory and TrustManager
.build()}// Pattern 2: HttpsURLConnection with proper validation
funcreateSecureUrlConnection(urlString:String):HttpsURLConnection{valurl=URL(urlString)valconnection=url.openConnection()asHttpsURLConnection// Uses system default SSLSocketFactory and trust manager
// No need to override any SSL settings
returnconnection}}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines