Faraday HTTP Request Disables SSL/TLS Verification
Description
The Faraday HTTP request is configured to disable SSL/TLS verification, which can make it vulnerable to man-in-the-middle attacks. This is a security risk because it allows an attacker to intercept and modify the communication between the client and server.
Examples
Insecure Code
ruby
Faraday.new(url: 'https://example.com', ssl: { verify: false })Secure Code
ruby
Faraday.new(url: 'https://example.com', ssl: { verify: true, verify_hostname: true, verify_mode: OpenSSL::SSL::VERIFY_PEER })Remediation
Enable SSL/TLS verification by setting `verify` to `true`, `verify_hostname` to `true`, and `verify_mode` to `OpenSSL::SSL::VERIFY_PEER` or `OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT` in the Faraday SSL options.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0274 |
| Category | InsecureConfig |
| Severity | CRITICAL |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | ssl, tls, verification |
| OWASP | N/A |