DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Ruby

Ruby

Made by DeepSource
Use Analyzer

Potential SSL verification bypass detected RB-DS1011

Security
Major

Requests to secure endpoints must not be made without verifying the SSL certificate. It can be fixed by setting use_ssl in the Net::HTTP object to true.

Not performing SSL certificate verification on the client-side is a potential security threat. Any attacker can perform a Man In The Middle (MITM) attack by presenting their certificate as the server's certificate.

Such attacks can be mitigated by performing a certificate validation on the client's end. This way, if an invalid certificate is presented, the verification would fail, thus preventing the data transmitted to be intercepted by the attacker.

The examples below explain how to perform certificate validations in Ruby.

Bad practice

require 'net/https'

http_client = Net::HTTP.new('https://google.com/')
http_client.use_ssl = true
http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE

Recommended

require 'net/https'

http_client = Net::HTTP.new('https://google.com/')
http_client.use_ssl = true
http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER