Contrib.social

Sonar scan secuirty issue

Open on Drupal.org →
Created on 29 May 2024, 6 months ago

Problem/Motivation

SonarCube scan show issue with code:

Enable server certificate validation on this SSL/TLS connection.
Server certificates should be verified during SSL/TLS
connectionsphp:S4830
Software qualities impacted:
Security
Vulnerability
Critical
More Info
docroot/.../tmgmt_smartling/src/Context/HtmlAssetInliner.php
Open in IDE
See all issues in this file

curl_setopt($crl, CURLOPT_CONNECTTIMEOUT, $timeout); # set the timeout
curl_setopt($crl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($crl, CURLOPT_COOKIE, $this->cookie);
curl_setopt($crl, CURLOPT_USERAGENT, $user_agent); # set our 'user agent'
curl_setopt($crl, CURLOPT_SSL_VERIFYPEER, FALSE);
Enable server certificate validation on this SSL/TLS connection.

------------------------------------------------------------------------------------------

private function applySettingsToCurl($proj_settings, $curl) {
if (!empty($proj_settings['context_skip_host_verifying'])) {
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
Enable server hostname verification on this SSL/TLS connection.
}

🐛 Bug report
Status

Closed: works as designed

Version

9.8

Component

Code

Created by

🇮🇳India vipul tulse

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @vipul tulse
  • Comment 6 months ago
    🇮🇳India vipul tulse
  • Status changed to Closed: works as designed 6 months ago
  • Comment 6 months ago
    loparev

    Hi @vipul tulse, this is by design. The method you've mentioned is about retrieving page html for the visual context and this CURLOPT_SSL_VERIFYHOST option is only applied to the curl options when context_skip_host_verifying is enabled in connector settings.

    moreover, we explicitly tell the user when to enable this setting and warn user to do so only on dev envs:

    If checked, curl won't verify host during retrieving context (CURLOPT_SSL_VERIFYHOST = 0). Use only for developing and testing purposes on NON PRODUCTION environments.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024