no-insecure-ssl
Prevents disabling SSL certificate validation in PostgreSQL connections.
Keywords: SSL, TLS, CWE-295, pg, node-postgres, security, certificate validation
Prevents disabling SSL certificate validation in PostgreSQL connections.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-295 (Improper Certificate Validation) |
| Severity | High (CVSS: 7.5) |
| Category | Security |
Rule Details
Setting rejectUnauthorized: false disables SSL certificate verification, making connections vulnerable to man-in-the-middle attacks.
❌ Incorrect
const client = new Client({
ssl: {
rejectUnauthorized: false, // Dangerous!
},
});
const pool = new Pool({
ssl: {
rejectUnauthorized: false,
},
});✅ Correct
// Default (secure)
const client = new Client({ ssl: true });
// With CA certificate
const client = new Client({
ssl: {
ca: fs.readFileSync('/path/to/server-ca.pem').toString(),
},
});
// Explicit secure setting
const client = new Client({
ssl: {
rejectUnauthorized: true,
},
});Error Message Format
🔒 CWE-295 | Insecure SSL: rejectUnauthorized: false disables certificate validation | HIGH
Fix: Remove rejectUnauthorized: false or set to true, and provide CA certificateWhen Not To Use It
- In development environments with self-signed certificates (use environment variables instead)
- Never disable in production
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Options from Variable
Why: Variable contents are not analyzed.
// ❌ NOT DETECTED - SSL options from variable
const sslOpts = { rejectUnauthorized: false };
const client = new Client({ ssl: sslOpts });Mitigation: Use inline SSL configuration. Create TypeScript types forbidding rejectUnauthorized: false.
Environment Variable Controlling SSL
Why: Environment variable values are not known at lint time.
// ❌ NOT DETECTED - SSL disabled based on env var
const ssl =
process.env.NODE_ENV === 'development'
? { rejectUnauthorized: false } // Might leak to production!
: true;
const client = new Client({ ssl });Mitigation: Never conditionally disable SSL. Use separate connection configs per environment.
Configuration Object from File
Why: Values imported from config files are not traced.
// ❌ NOT DETECTED - Config from file
import dbConfig from './database.json';
const client = new Client(dbConfig); // May have rejectUnauthorized: falseMitigation: Apply rule to config files. Use schema validation for database configs.
Spread Operator
Why: Spread objects hide their properties at lint time.
// ❌ NOT DETECTED - rejectUnauthorized in spread
const baseConfig = getDbConfig();
const client = new Client({ ...baseConfig }); // May include insecure SSLMitigation: Explicitly set SSL options. Validate config at runtime.
Related Rules
- no-hardcoded-credentials - Prevents hardcoded passwords