Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción. Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.
This rule mandates that SSL/TLS certificates always be validated. Certificate validation is an essential part of the SSL/TLS protocol that ensures the server you are communicating with is indeed who it claims to be. This prevents man-in-the-middle attacks, where an attacker intercepts and possibly alters the communication between two parties without their knowledge.
Ignoring or bypassing certificate validation severely undermines the security of your application and should be avoided.
To adhere to this rule, always use the system’s default SSLSocketFactory and TrustManager for SSL/TLS connections. These default settings perform certificate validation automatically. Never attempt to bypass or disable certificate validation. If you need to trust a self-signed certificate for testing purposes, add it to a custom trust store and use that instead of bypassing all certificate validation.
Non-Compliant Code Examples
importjavax.net.ssl.*importokhttp3.OkHttpClientimportjava.security.cert.X509Certificateimportjava.security.KeyStoreclassInsecureTlsConfigurations{// Pattern 1: Bypass certificate validation in OkHttpClient
funcreateInsecureOkHttpClient():OkHttpClient{valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()})valsslContext=SSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}returnOkHttpClient.Builder().sslSocketFactory(sslContext.socketFactory,trustAllCerts[0]asX509TrustManager).build()}// Pattern 2: Bypass in HttpsURLConnection
fundisableUrlConnectionValidation(){valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()})valsslContext=SSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)}}
Compliant Code Examples
importjavax.net.ssl.*importokhttp3.OkHttpClientimportjava.security.cert.X509Certificateimportjava.security.KeyStoreclassSecureTlsConfigurations{// Pattern 1: OkHttpClient with proper validation
funcreateSecureOkHttpClient():OkHttpClient{returnOkHttpClient.Builder()// Uses system default SSLSocketFactory and TrustManager
.build()}// Pattern 2: HttpsURLConnection with proper validation
funcreateSecureUrlConnection(urlString:String):HttpsURLConnection{valurl=URL(urlString)valconnection=url.openConnection()asHttpsURLConnection// Uses system default SSLSocketFactory and trust manager
// No need to override any SSL settings
returnconnection}}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.
