use crate::detectors::base::{is_test_file, Detector, DetectorConfig};
use crate::models::{deterministic_finding_id, Evidence, Finding, Severity, SourceSpan, Tier};
use anyhow::Result;
use std::collections::HashSet;
use std::path::{Path, PathBuf};
use tracing::{debug, info};
const PYTHON_PATTERNS: &[(&str, &str, Severity)] = &[
(
"verify=False",
"requests/urllib call with certificate verification disabled",
Severity::High,
),
(
"verify = False",
"requests/urllib call with certificate verification disabled",
Severity::High,
),
(
"CERT_NONE",
"SSL context with no certificate verification",
Severity::Critical,
),
(
"check_hostname = False",
"SSL hostname verification disabled",
Severity::High,
),
(
"check_hostname=False",
"SSL hostname verification disabled",
Severity::High,
),
(
"InsecureRequestWarning",
"urllib3 insecure request warning suppressed",
Severity::Medium,
),
(
"create_default_context",
"Custom SSL context (verify usage)",
Severity::Low,
), ];
const JS_PATTERNS: &[(&str, &str, Severity)] = &[
(
"rejectUnauthorized: false",
"TLS certificate verification disabled",
Severity::High,
),
(
"rejectUnauthorized:false",
"TLS certificate verification disabled",
Severity::High,
),
(
"rejectUnauthorized : false",
"TLS certificate verification disabled",
Severity::High,
),
(
"NODE_TLS_REJECT_UNAUTHORIZED",
"Environment variable to disable TLS verification",
Severity::Critical,
),
(
"process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'",
"TLS verification disabled via environment",
Severity::Critical,
),
(
"process.env.NODE_TLS_REJECT_UNAUTHORIZED = \"0\"",
"TLS verification disabled via environment",
Severity::Critical,
),
(
"agent: new https.Agent",
"Custom HTTPS agent (check rejectUnauthorized)",
Severity::Low,
),
];
const GO_PATTERNS: &[(&str, &str, Severity)] = &[
(
"InsecureSkipVerify: true",
"TLS certificate verification skipped",
Severity::High,
),
(
"InsecureSkipVerify:true",
"TLS certificate verification skipped",
Severity::High,
),
];
const JAVA_PATTERNS: &[(&str, &str, Severity)] = &[
(
"TrustAllCerts",
"Trust-all certificate manager (no validation)",
Severity::Critical,
),
(
"X509TrustManager",
"Custom trust manager (may bypass validation)",
Severity::Medium,
),
(
"ALLOW_ALL_HOSTNAME_VERIFIER",
"Hostname verification disabled",
Severity::High,
),
(
"NoopHostnameVerifier",
"Hostname verification disabled",
Severity::High,
),
(
"setHostnameVerifier(allHostsValid)",
"Hostname verification disabled",
Severity::High,
),
(
"SSLContext.getInstance(\"SSL\")",
"Outdated SSL protocol (use TLS)",
Severity::Medium,
),
];
const RUST_PATTERNS: &[(&str, &str, Severity)] = &[
(
"danger_accept_invalid_certs(true)",
"Certificate validation disabled (reqwest)",
Severity::High,
),
(
"danger_accept_invalid_hostnames(true)",
"Hostname validation disabled (reqwest)",
Severity::High,
),
(
"set_verify(SslVerifyMode::NONE)",
"OpenSSL verification disabled",
Severity::High,
),
];
fn ends_at_word_boundary(line: &str, pattern: &str) -> bool {
let after = line
.find(pattern)
.map(|i| &line[i + pattern.len()..])
.unwrap_or("");
after
.chars()
.next()
.is_none_or(|c| !c.is_alphanumeric() && c != '_')
}
fn classify_blocking_rule(ext: &str, line: &str, pattern: &str) -> Option<&'static str> {
match ext {
"js" | "jsx" | "mjs" | "cjs" | "ts" | "tsx" => {
if (pattern == "rejectUnauthorized: false"
|| pattern == "rejectUnauthorized:false"
|| pattern == "rejectUnauthorized : false")
&& ends_at_word_boundary(line, pattern)
{
return Some("tls_verify_disabled");
}
None
}
"py" | "pyi" => {
if (pattern == "verify=False" || pattern == "verify = False")
&& ends_at_word_boundary(line, pattern)
{
return Some("tls_verify_disabled");
}
None
}
"go" => {
if (pattern == "InsecureSkipVerify: true" || pattern == "InsecureSkipVerify:true")
&& ends_at_word_boundary(line, pattern)
{
return Some("tls_skip_verify");
}
None
}
_ => None,
}
}
pub struct InsecureTlsDetector {
max_findings: usize,
}
impl InsecureTlsDetector {
pub fn new(_repository_path: impl Into<PathBuf>) -> Self {
Self { max_findings: 50 }
}
fn get_patterns_for_ext(&self, ext: &str) -> Vec<(&'static str, &'static str, Severity)> {
match ext {
"py" | "pyi" => PYTHON_PATTERNS.to_vec(),
"js" | "jsx" | "mjs" | "cjs" | "ts" | "tsx" => JS_PATTERNS.to_vec(),
"go" => GO_PATTERNS.to_vec(),
"java" | "kt" | "kts" => JAVA_PATTERNS.to_vec(),
"rs" => RUST_PATTERNS.to_vec(),
_ => vec![],
}
}
fn scan_files(&self, file_list: &[(&Path, &str)]) -> Vec<Finding> {
let mut findings = Vec::new();
let mut seen: HashSet<(String, u32)> = HashSet::new();
for (path, content) in file_list {
if findings.len() >= self.max_findings {
break;
}
let ext = path.extension().and_then(|e| e.to_str()).unwrap_or("");
let patterns = self.get_patterns_for_ext(ext);
if patterns.is_empty() {
continue;
}
let rel_path = path.to_string_lossy().to_string();
let is_test = is_test_file(Path::new(&rel_path));
if content.len() > 500_000 {
continue;
}
let lines: Vec<&str> = content.lines().collect();
for (line_no, line) in lines.iter().enumerate() {
let line_num = (line_no + 1) as u32;
let trimmed = line.trim();
if trimmed.starts_with('#') || trimmed.starts_with("//") || trimmed.starts_with('*')
{
continue;
}
let prev_line = if line_no > 0 {
Some(lines[line_no - 1])
} else {
None
};
if crate::detectors::is_line_suppressed(line, prev_line) {
continue;
}
for (pattern, description, severity) in &patterns {
if !line.contains(pattern) {
continue;
}
if ext == "rs"
&& (trimmed.starts_with('"')
|| trimmed.starts_with("&\"")
|| trimmed.starts_with("r#\"")
|| trimmed.starts_with("r\""))
{
continue;
}
if *severity == Severity::Low {
continue; }
if *pattern == "InsecureRequestWarning"
&& !line.contains("disable")
&& !line.contains("filter")
&& !line.contains("suppress")
{
continue;
}
if *pattern == "X509TrustManager"
&& !line.contains("implements")
&& !line.contains("new")
&& !line.contains("class")
{
continue;
}
if *pattern == "create_default_context" {
continue;
}
let loc = (rel_path.clone(), line_num);
if seen.contains(&loc) {
continue;
}
seen.insert(loc);
let effective_severity = if is_test {
match severity {
Severity::Critical => Severity::Medium,
Severity::High => Severity::Low,
_ => Severity::Low,
}
} else {
*severity
};
let language = match ext {
"py" | "pyi" => "python",
"js" | "jsx" | "mjs" | "cjs" => "javascript",
"ts" | "tsx" => "typescript",
"go" => "go",
"java" => "java",
"kt" | "kts" => "kotlin",
"rs" => "rust",
_ => "unknown",
};
let blocking_rule = if is_test {
None
} else {
classify_blocking_rule(ext, line, pattern)
};
let (tier, final_confidence, deterministic, evidence) =
if let Some(rule) = blocking_rule {
let span = SourceSpan {
file: PathBuf::from(&rel_path),
line_start: line_num,
line_end: line_num,
snippet: Some(trimmed.chars().take(120).collect()),
};
(
Tier::Blocking,
Some(1.0_f64),
true,
Some(Evidence::ConfigFact {
span,
rule: rule.to_string(),
}),
)
} else {
(
Tier::Advisory,
Some(if is_test { 0.7 } else { 0.95 }),
false,
None,
)
};
let final_severity = if tier == Tier::Blocking {
effective_severity.max(Severity::High)
} else {
effective_severity
};
findings.push(Finding {
id: deterministic_finding_id(
"InsecureTlsDetector",
&rel_path,
line_num,
description,
),
detector: "InsecureTlsDetector".to_string(),
title: format!("Insecure TLS/Certificate Validation ({})", language),
description: format!(
"**{}** (CWE-295)\n\n\
Disabled certificate or hostname verification detected.\n\n\
**Pattern**: `{}`\n\
**File**: {}:{}\n\
**Code**: `{}`\n\n\
This allows man-in-the-middle attacks. An attacker on the network \
can intercept and modify traffic without detection.{}",
description,
pattern,
rel_path,
line_num,
trimmed.chars().take(120).collect::<String>(),
if is_test {
"\n\n*Note: Found in test file — severity reduced.*"
} else {
""
},
),
severity: final_severity,
affected_files: vec![PathBuf::from(&rel_path)],
line_start: Some(line_num),
line_end: None,
suggested_fix: Some(self.get_fix_suggestion(pattern, language)),
cwe_id: Some("CWE-295".to_string()),
confidence: final_confidence,
category: Some("security".to_string()),
tier,
evidence,
deterministic,
..Default::default()
});
if findings.len() >= self.max_findings {
return findings;
}
}
}
}
findings
}
fn get_fix_suggestion(&self, pattern: &str, language: &str) -> String {
match language {
"python" => {
if pattern.contains("verify") {
"Remove `verify=False` or set `verify=True` (default). For self-signed certs in dev, \
use `verify='/path/to/ca-bundle.crt'` instead.".to_string()
} else if pattern.contains("CERT_NONE") {
"Use `ssl.CERT_REQUIRED` instead of `ssl.CERT_NONE`.".to_string()
} else if pattern.contains("check_hostname") {
"Set `check_hostname = True` (default in Python 3.4+).".to_string()
} else {
"Enable certificate verification. Never disable TLS validation in production."
.to_string()
}
}
"javascript" | "typescript" => {
if pattern.contains("rejectUnauthorized") {
"Remove `rejectUnauthorized: false`. For self-signed certs, provide the CA cert \
via `ca` option instead.".to_string()
} else if pattern.contains("NODE_TLS") {
"Remove `NODE_TLS_REJECT_UNAUTHORIZED=0`. This disables TLS for the entire process.".to_string()
} else {
"Enable certificate verification on HTTPS connections.".to_string()
}
}
"go" => "Remove `InsecureSkipVerify: true` from tls.Config. For self-signed certs, \
provide a custom CA pool via `RootCAs`."
.to_string(),
"java" | "kotlin" => {
"Use the default TrustManager and HostnameVerifier. For self-signed certs, \
add the CA to your trust store."
.to_string()
}
"rust" => {
"Remove `danger_accept_invalid_certs(true)`. For self-signed certs, add the CA \
to the client builder via `add_root_certificate()`."
.to_string()
}
_ => "Enable certificate verification. Never disable TLS validation in production."
.to_string(),
}
}
}
impl Detector for InsecureTlsDetector {
fn name(&self) -> &'static str {
"InsecureTlsDetector"
}
fn description(&self) -> &'static str {
"Detects disabled TLS/certificate verification (CWE-295)"
}
fn bypass_postprocessor(&self) -> bool {
true
}
fn detect(
&self,
ctx: &crate::detectors::analysis_context::AnalysisContext,
) -> Result<Vec<Finding>> {
debug!("Starting insecure TLS detection");
let fp = ctx.as_file_provider();
let extensions: &[&str] = &[
"py", "pyi", "js", "jsx", "ts", "tsx", "mjs", "cjs", "go", "java", "kt", "kts", "rs",
];
let paths = fp.files_with_extensions(extensions);
let mut file_list: Vec<(&Path, String)> = Vec::new();
for path in &paths {
if let Some(content) = fp.content(path) {
file_list.push((path, content.as_ref().clone()));
}
}
let file_refs: Vec<(&Path, &str)> =
file_list.iter().map(|(p, c)| (*p, c.as_str())).collect();
let findings = self.scan_files(&file_refs);
info!("InsecureTlsDetector found {} findings", findings.len());
Ok(findings)
}
fn category(&self) -> &'static str {
"security"
}
fn requires_graph(&self) -> bool {
false
}
fn file_extensions(&self) -> &'static [&'static str] {
&["py", "js", "ts", "jsx", "tsx", "rb", "java", "go", "rs"]
}
fn content_requirements(&self) -> crate::detectors::detector_context::ContentFlags {
crate::detectors::detector_context::ContentFlags::HAS_CRYPTO
}
}
impl crate::detectors::RegisteredDetector for InsecureTlsDetector {
fn create(init: &crate::detectors::DetectorInit) -> std::sync::Arc<dyn Detector> {
std::sync::Arc::new(Self::new(init.repo_path))
}
fn max_tier() -> crate::models::Tier {
crate::models::Tier::Blocking
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::models::{Evidence, Tier};
use std::path::Path;
#[test]
fn test_python_verify_false() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("client.py");
let content = "response = requests.get(url, verify=False)\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(!findings.is_empty(), "Should detect verify=False");
assert_eq!(findings[0].severity, Severity::High);
}
#[test]
fn test_js_reject_unauthorized() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("client.js");
let content = "const agent = new https.Agent({ rejectUnauthorized: false });\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"Should detect rejectUnauthorized: false"
);
}
#[test]
fn test_go_insecure_skip_verify() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("client.go");
let content = "tlsConfig := &tls.Config{InsecureSkipVerify: true}\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(!findings.is_empty(), "Should detect InsecureSkipVerify");
}
#[test]
fn test_rust_danger_accept() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("client.rs");
let content =
"let client = reqwest::Client::builder().danger_accept_invalid_certs(true).build()?;\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"Should detect danger_accept_invalid_certs"
);
}
#[test]
fn test_java_trust_all() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("Client.java");
let content = "TrustManager[] trustAllCerts = new TrustAllCerts();\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(!findings.is_empty(), "Should detect TrustAllCerts");
}
#[test]
fn test_test_file_downgraded() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("tests/test_client.py");
let content = "response = requests.get(url, verify=False)\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(!findings.is_empty(), "Should still detect in test files");
assert_eq!(
findings[0].severity,
Severity::Low,
"Should be downgraded in tests"
);
}
#[test]
fn test_clean_code_no_findings() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("client.py");
let content = "response = requests.get(url)\nprint(response.status_code)\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(findings.is_empty(), "Clean code should have no findings");
}
#[test]
fn test_python_cert_none() {
let detector = InsecureTlsDetector::new(Path::new("."));
let path = Path::new("server.py");
let content = "ctx = ssl.create_default_context()\nctx.check_hostname = False\nctx.verify_mode = ssl.CERT_NONE\n";
let findings = detector.scan_files(&[(path, content)]);
assert!(
findings.len() >= 2,
"Should detect both check_hostname and CERT_NONE. Found: {}",
findings.len()
);
}
#[test]
fn exact_antipattern_is_blocking() {
let det = InsecureTlsDetector::new(Path::new("."));
{
let path = Path::new("client.js");
let content = "const agent = new https.Agent({ rejectUnauthorized: false });\n";
let findings = det.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"JS anti-pattern must produce a finding"
);
let f = &findings[0];
assert_eq!(
f.tier,
Tier::Blocking,
"rejectUnauthorized: false must be Blocking"
);
assert!(f.deterministic, "Blocking finding must be deterministic");
assert_eq!(
f.confidence.unwrap(),
1.0,
"Blocking finding must have confidence = 1.0"
);
assert!(
matches!(
&f.evidence,
Some(Evidence::ConfigFact { rule, .. }) if rule == "tls_verify_disabled"
),
"Must carry ConfigFact {{ rule: tls_verify_disabled }}, got: {:?}",
f.evidence
);
assert!(
f.severity >= Severity::High,
"Blocking severity must be >= High"
);
}
{
let path = Path::new("app.py");
let content = "resp = requests.get(url, verify=False)\n";
let findings = det.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"Python anti-pattern must produce a finding"
);
let f = &findings[0];
assert_eq!(f.tier, Tier::Blocking, "verify=False must be Blocking");
assert!(f.deterministic, "Blocking finding must be deterministic");
assert_eq!(f.confidence.unwrap(), 1.0);
assert!(
matches!(
&f.evidence,
Some(Evidence::ConfigFact { rule, .. }) if rule == "tls_verify_disabled"
),
"Must carry ConfigFact {{ rule: tls_verify_disabled }}, got: {:?}",
f.evidence
);
}
{
let path = Path::new("app.py");
let content = "resp = requests.post(url, verify = False)\n";
let findings = det.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"Python anti-pattern (spaces) must produce a finding"
);
let f = &findings[0];
assert_eq!(f.tier, Tier::Blocking, "verify = False must be Blocking");
assert!(
matches!(
&f.evidence,
Some(Evidence::ConfigFact { rule, .. }) if rule == "tls_verify_disabled"
),
"Must carry ConfigFact {{ rule: tls_verify_disabled }}"
);
}
{
let path = Path::new("client.go");
let content = "cfg := &tls.Config{InsecureSkipVerify: true}\n";
let findings = det.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"Go anti-pattern must produce a finding"
);
let f = &findings[0];
assert_eq!(
f.tier,
Tier::Blocking,
"InsecureSkipVerify: true must be Blocking"
);
assert!(f.deterministic, "Blocking finding must be deterministic");
assert_eq!(f.confidence.unwrap(), 1.0);
assert!(
matches!(
&f.evidence,
Some(Evidence::ConfigFact { rule, .. }) if rule == "tls_skip_verify"
),
"Must carry ConfigFact {{ rule: tls_skip_verify }}, got: {:?}",
f.evidence
);
}
}
#[test]
fn near_miss_is_advisory_or_absent() {
let det = InsecureTlsDetector::new(Path::new("."));
{
let path = Path::new("client.js");
let content = "const agent = new https.Agent({ rejectUnauthorized: opts.strict });\n";
let findings = det.scan_files(&[(path, content)]);
for f in &findings {
assert_ne!(
f.tier,
Tier::Blocking,
"Dynamic JS value must not be Blocking: {:?}",
f
);
}
}
{
let path = Path::new("app.py");
let content = "resp = requests.get(url, verify=True)\n";
let findings = det.scan_files(&[(path, content)]);
assert!(findings.is_empty(), "verify=True must not be flagged");
}
{
let path = Path::new("app.py");
let content = "resp = requests.get(url, verify=cfg.verify)\n";
let findings = det.scan_files(&[(path, content)]);
for f in &findings {
assert_ne!(
f.tier,
Tier::Blocking,
"Dynamic Python verify must not be Blocking"
);
}
}
}
#[test]
fn commented_out_is_not_flagged() {
let det = InsecureTlsDetector::new(Path::new("."));
{
let path = Path::new("app.py");
let content = "# resp = requests.get(url, verify=False)\n";
let findings = det.scan_files(&[(path, content)]);
assert!(findings.is_empty(), "Python comment must not be flagged");
}
{
let path = Path::new("client.js");
let content = "// const agent = new https.Agent({ rejectUnauthorized: false });\n";
let findings = det.scan_files(&[(path, content)]);
assert!(findings.is_empty(), "JS line-comment must not be flagged");
}
{
let path = Path::new("client.go");
let content = "// cfg := &tls.Config{InsecureSkipVerify: true}\n";
let findings = det.scan_files(&[(path, content)]);
assert!(findings.is_empty(), "Go line-comment must not be flagged");
}
}
#[test]
fn in_test_fixture_is_advisory() {
let det = InsecureTlsDetector::new(Path::new("."));
{
let path = Path::new("tests/fixtures/x.py");
let content = "resp = requests.get(url, verify=False)\n";
let findings = det.scan_files(&[(path, content)]);
assert!(
!findings.is_empty(),
"verify=False in test fixture must still produce a finding"
);
for f in &findings {
assert_eq!(
f.tier,
Tier::Advisory,
"Findings in test fixtures must be Advisory, not {:?}",
f.tier
);
}
}
{
let path = Path::new("test/client.js");
let content = "const agent = new https.Agent({ rejectUnauthorized: false });\n";
let findings = det.scan_files(&[(path, content)]);
assert!(!findings.is_empty(), "Still detect in test directory");
for f in &findings {
assert_eq!(
f.tier,
Tier::Advisory,
"Findings in test directory must be Advisory"
);
}
}
{
let path = Path::new("conftest.py");
let content = "resp = requests.get(url, verify=False)\n";
let _findings = det.scan_files(&[(path, content)]);
}
{
let path = Path::new("__tests__/client.js");
let content = "const agent = new https.Agent({ rejectUnauthorized: false });\n";
let findings = det.scan_files(&[(path, content)]);
assert!(!findings.is_empty(), "Still detect in __tests__");
for f in &findings {
assert_eq!(
f.tier,
Tier::Advisory,
"Findings in __tests__ must be Advisory"
);
}
}
}
}