This rule enforces the secure verification of SSL/TLS hostnames when validating certificates. In secure communication, this step is crucial to prevent Man-In-The-Middle (MITM) attacks. In such a case, an attacker could intercept the communication, present a fraudulent certificate, and if hostname verification is not implemented or is improperly implemented, the client might accept it.
Developers sometimes disable hostname verification for testing purposes or to bypass certain network restrictions. This practice opens up a serious security vulnerability when used in production code. You must ensure that you do not override the hostname verifier to return true for all hostnames, because this accepts any certificate, even if it’s not valid for the server you’re connecting to.
To avoid violating this rule, always use the default hostname verification provided by the SSL/TLS library (such as OkHttpClient, HttpsURLConnection, or SSLContext). These libraries have secure hostname verification enabled by default; do not disable or modify it. If you need to handle exceptions for certain hostnames, you can use a custom hostname verifier that checks the hostname against a list of allowed exceptions instead of accepting all hostnames.
Non-Compliant Code Examples
importjavax.net.ssl.*importjava.net.URLimportokhttp3.OkHttpClientimportjava.security.cert.X509CertificateclassInsecureConnections{// Pattern 1: OkHttpClient with disabled verification
funcreateInsecureOkHttpClient():OkHttpClient{returnOkHttpClient.Builder().hostnameVerifier{_,_->true}// Insecure: accepts any hostname
.build()}// Pattern 2: OkHttpClient with disabled verification
funcreateInsecureOkHttpClient2():OkHttpClient{valbuilder2=OkHttpClient.Builder()builder2.hostnameVerifier(object: HostnameVerifier{overridefunverify(hostname:String?,session:SSLSession?):Boolean{// Insecure: accepts any hostname
returntrue}})}// Pattern 3: HttpsURLConnection with disabled verification
funcreateInsecureUrlConnection(urlString:String):HttpsURLConnection{valurl=URL(urlString)valconnection=url.openConnection()asHttpsURLConnectionconnection.hostnameVerifier=HostnameVerifier{_,_->true}// Insecure
returnconnection}// Pattern 4: SSLSocketFactory with disabled verification
funcreateInsecureSSLContext():SSLContext{valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}})returnSSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}.also{context->HttpsURLConnection.setDefaultSSLSocketFactory(context.socketFactory)// Insecure: Disables hostname verification globally
HttpsURLConnection.setDefaultHostnameVerifier{_,_->true}}}}
Compliant Code Examples
classSecureConnections{// Pattern 1: OkHttpClient with default verification
funcreateSecureOkHttpClient():OkHttpClient{returnOkHttpClient.Builder()// No custom hostname verifier = uses default secure verification
.build()}// Pattern 2: HttpsURLConnection with default verification
funcreateSecureUrlConnection(urlString:String):HttpsURLConnection{valurl=URL(urlString)returnurl.openConnection()asHttpsURLConnection// Default hostname verifier is secure
}// Pattern 3: SSLSocketFactory with default verification
funcreateSecureSSLContext():SSLContext{returnSSLContext.getInstance("TLS").apply{init(null,null,null)// Uses system default security providers
}// Default hostname verification remains intact
}}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines
