This rule mandates that SSL/TLS certificates always be validated. Certificate validation is an essential part of the SSL/TLS protocol that ensures the server you are communicating with is indeed who it claims to be. This prevents man-in-the-middle attacks, where an attacker intercepts and possibly alters the communication between two parties without their knowledge.
Ignoring or bypassing certificate validation severely undermines the security of your application and should be avoided.
To adhere to this rule, always use the system’s default SSLSocketFactory and TrustManager for SSL/TLS connections. These default settings perform certificate validation automatically. Never attempt to bypass or disable certificate validation. If you need to trust a self-signed certificate for testing purposes, add it to a custom trust store and use that instead of bypassing all certificate validation.
Non-Compliant Code Examples
importjavax.net.ssl.*importokhttp3.OkHttpClientimportjava.security.cert.X509Certificateimportjava.security.KeyStoreclassInsecureTlsConfigurations{// Pattern 1: Bypass certificate validation in OkHttpClient
funcreateInsecureOkHttpClient():OkHttpClient{valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()})valsslContext=SSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}returnOkHttpClient.Builder().sslSocketFactory(sslContext.socketFactory,trustAllCerts[0]asX509TrustManager).build()}// Pattern 2: Bypass in HttpsURLConnection
fundisableUrlConnectionValidation(){valtrustAllCerts=arrayOf<TrustManager>(object: X509TrustManager{overridefuncheckClientTrusted(chain:Array<X509Certificate>,authType:String){}overridefuncheckServerTrusted(chain:Array<X509Certificate>,authType:String){}overridefungetAcceptedIssuers():Array<X509Certificate>=arrayOf()})valsslContext=SSLContext.getInstance("TLS").apply{init(null,trustAllCerts,java.security.SecureRandom())}HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)}}
Compliant Code Examples
importjavax.net.ssl.*importokhttp3.OkHttpClientimportjava.security.cert.X509Certificateimportjava.security.KeyStoreclassSecureTlsConfigurations{// Pattern 1: OkHttpClient with proper validation
funcreateSecureOkHttpClient():OkHttpClient{returnOkHttpClient.Builder()// Uses system default SSLSocketFactory and TrustManager
.build()}// Pattern 2: HttpsURLConnection with proper validation
funcreateSecureUrlConnection(urlString:String):HttpsURLConnection{valurl=URL(urlString)valconnection=url.openConnection()asHttpsURLConnection// Uses system default SSLSocketFactory and trust manager
// No need to override any SSL settings
returnconnection}}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.