codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

C#: Insecure Certificate Validation.

Open michaelnebel opened this issue 1 year ago • 1 comments

michaelnebel avatar Sep 27 '24 13:09 michaelnebel

QHelp previews:

csharp/ql/src/experimental/CWE-295/InsecureCertificateValidation.qhelp

Unsafe CertificateValidationCallback use.

Using a RemoteCertificateValidationCallback that always returns true is insecure because it allows any certificate to be accepted as valid. This can lead to a variety of security issues, including man-in-the-middle attacks.

Recommendation

Ensure that RemoteCertificateValidationCallback implementations properly verify the certificate before returning true. Avoid implementing callbacks that unconditionally accept all certificates.

Example

The following example demonstrates an insecure use of RemoteCertificateValidationCallback that always returns true:

ServicePointManager.ServerCertificateValidationCallback = 
    (sender, cert, chain, sslPolicyErrors) => true;

A secure approach would involve proper verification of the certificate before returning true:

ServicePointManager.ServerCertificateValidationCallback += 
        (sender, cert, chain, sslPolicyErrors) => {
            if (cert.Issuer == "TrustedIssuer" /* && other conditions */)
                return true;
            return false;
        };

References

  • CA5359: Do not disable certificate validation CA5359
  • Common Weakness Enumeration: CWE-295.
  • Common Weakness Enumeration: CWE-297.

github-actions[bot] avatar Sep 27 '24 13:09 github-actions[bot]

This query is high up on my wishlist and I would be very happy to see it rolled out into the C# pack. Please let me know if there's anything I can help with to expedite this.

gsutherland-trailofbits avatar Jul 16 '25 19:07 gsutherland-trailofbits

This query is high up on my wishlist and I would be very happy to see it rolled out into the C# pack. Please let me know if there's anything I can help with to expedite this.

This PR was opened in response to the external contribution opened here https://github.com/github/codeql/pull/16824 (the intention with this PR was to provide some "helpful" commits to allow the contributor to continue the work), but the work appears to have stalled. The best option I see right now is: Open an issue with the request here. As the work will need to be prioritised together with other work.

michaelnebel avatar Jul 17 '25 05:07 michaelnebel

Sorry for not finishing my earlier work. There is a chance that I'll finish the PR, but I also wouldn't mind if someone else finishes it.

intrigus-lgtm avatar Jul 17 '25 09:07 intrigus-lgtm