Curl SSL/TLS trust chain verification should not be disabled

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
curl's versions of SSL/TLS protocols and cypher suites must be chosen carrefuly and should not be modified at runtime

Impact
Disabeling it exposes the communications to man-in-the-middle attacks.

Noncompliant Code Example

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

Compliant Code Example

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);

References

• MITRE CWE-295 - Improper Certificate Validation
• OWASP Top 10 2017 Category A6 - Security Misconfiguration

Type
Vulnerability

Tags
cwe, owasp-a6

Hello Pierre-Loup,

I created RSPEC-4830 and RSPEC-4831 from your rule suggestion.

I believe there is a typo in your Compliant Code.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true) should not be considered as safe because “true” is casted to ‘1’ which is not a secure configuration. CURLOPT_SSL_VERIFYHOST should be configured to ‘2’.

Thanks

Rule as been added to sonarPHP.
https://github.com/SonarSource/sonar-php/pull/351