Ensure SSL connections are verified

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/ssl-no-verify

Language: Ruby

Severity: Warning

Category: Security

CWE: 295

Description

The rule “Ensure SSL connections are verified” is a security best practice in Ruby development. It mandates the verification of SSL connections when making HTTPS requests. This is important because it prevents man-in-the-middle attacks, where an attacker could potentially intercept and alter the data being transmitted.

In the non-compliant code sample, the OpenSSL::SSL::VERIFY_NONE mode is used, which turns off the SSL certificate verification. This makes the connection vulnerable to potential attacks.

To comply with this rule and ensure secure coding practices, always use OpenSSL::SSL::VERIFY_PEER mode for SSL certificate verification, as demonstrated in the compliant code sample. This ensures that the SSL connection is verified and secure, preventing any unauthorized interception or alteration of data.

Non-Compliant Code Examples

require "net/https"
require "uri"

uri = URI.parse("https://example.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

Compliant Code Examples

require "net/https"
require "uri"

uri = URI.parse("https://example.com/")

http.verify_mode = OpenSSL::SSL::VERIFY_PEER
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: may/unit-testing