Missing SSL certificate verification detected.

Rule ID: ruby_lang_ssl_verification
Languages: ruby
Source: ssl_verification.yml

Description

Applications processing sensitive data should use valid SSL certificates. This rule checks if SSL verification is enabled.

Remediations

❌ By default Ruby check for SSL certificate verification but this can be bypassed when setting Open SSL verification mode to VERIFY_NONE:

require "net/https"
require "uri"

uri = URI.parse("https://ssl-site.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

✅ To ensure that SSL verification always happens, make sure to use the following mode:

http.verify_mode = OpenSSL::SSL::VERIFY_PEER

Resources

Ruby OpenSSL module

Associated CWE

CWE-295: Improper Certificate Validation

OWASP Top 10

A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_ssl_verification

Ready to take the next step? Learn more about Bearer Cloud.