From ea06b397bb080ffad7df5ce523f7e9339fa24804 Mon Sep 17 00:00:00 2001 From: Richard Gomez Date: Sun, 2 Jun 2024 11:01:48 -0400 Subject: [PATCH] feat: add flag to disable ssl verify --- main.go | 7 ++++++ pkg/common/http.go | 38 +++++++++++++++++++++------------ pkg/detectors/jdbc/mysql.go | 13 +++++++++-- pkg/detectors/jdbc/postgres.go | 6 +++++- pkg/detectors/jdbc/sqlserver.go | 4 +++- 5 files changed, 50 insertions(+), 18 deletions(-) diff --git a/main.go b/main.go index c4911c391..e885e76f8 100644 --- a/main.go +++ b/main.go @@ -68,6 +68,7 @@ var ( includeDetectors = cli.Flag("include-detectors", "Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.").Default("all").String() excludeDetectors = cli.Flag("exclude-detectors", "Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.").String() jobReportFile = cli.Flag("output-report", "Write a scan report to the provided path.").Hidden().OpenFile(os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666) + SslVerify = cli.Flag("ssl-verify", "Whether to verify the SSL certificates when making requests.").Default("true").Bool() gitScan = cli.Command("git", "Find credentials in git repositories.") gitScanURI = gitScan.Arg("uri", "Git repository URL. https://, file://, or ssh:// schema expected.").Required().String() @@ -250,12 +251,18 @@ func init() { cmd = kingpin.MustParse(cli.Parse(os.Args[1:])) + // Configure log level. switch { case *trace: log.SetLevel(5) case *debug: log.SetLevel(2) } + + // Disable certificate validation, if specified. + if !*SslVerify { + common.VerifySsl = false + } } func main() { diff --git a/pkg/common/http.go b/pkg/common/http.go index 7f89faedd..7cf035b4f 100644 --- a/pkg/common/http.go +++ b/pkg/common/http.go @@ -196,23 +196,33 @@ func RetryableHTTPClientTimeout(timeOutSeconds int64, opts ...ClientOption) *htt const DefaultResponseTimeout = 5 * time.Second -var saneTransport = &http.Transport{ - Proxy: http.ProxyFromEnvironment, - DialContext: (&net.Dialer{ - Timeout: 2 * time.Second, - KeepAlive: 5 * time.Second, - }).DialContext, - MaxIdleConns: 5, - IdleConnTimeout: 5 * time.Second, - TLSHandshakeTimeout: 3 * time.Second, - ExpectContinueTimeout: 1 * time.Second, +var VerifySsl = true + +func saneTransport() *http.Transport { + t := &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 2 * time.Second, + KeepAlive: 5 * time.Second, + }).DialContext, + MaxIdleConns: 5, + IdleConnTimeout: 5 * time.Second, + TLSHandshakeTimeout: 3 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } + + // Disable TLS certificate validation. + if !VerifySsl { + t.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + } + return t } func SaneHttpClient() *http.Client { - httpClient := &http.Client{} - httpClient.Timeout = DefaultResponseTimeout - httpClient.Transport = NewCustomTransport(saneTransport) - return httpClient + client := &http.Client{} + client.Timeout = DefaultResponseTimeout + client.Transport = NewCustomTransport(saneTransport()) + return client } // SaneHttpClientTimeOut adds a custom timeout for some scanners diff --git a/pkg/detectors/jdbc/mysql.go b/pkg/detectors/jdbc/mysql.go index 291bc375e..86f9d8174 100644 --- a/pkg/detectors/jdbc/mysql.go +++ b/pkg/detectors/jdbc/mysql.go @@ -8,6 +8,8 @@ import ( "strings" "github.com/go-sql-driver/mysql" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" ) type mysqlJDBC struct { @@ -49,12 +51,19 @@ func isMySQLErrorDeterminate(err error) bool { return false } +const defaultParams = "timeout=5s" + func parseMySQL(subname string) (jdbc, error) { // expected form: [subprotocol:]//[user:password@]HOST[/DB][?key=val[&key=val]] if !strings.HasPrefix(subname, "//") { return nil, errors.New("expected host to start with //") } + params := defaultParams + if !common.VerifySsl { + params = defaultParams + "&tls=skip-verify" + } + // need for hostnames that have tcp(host:port) format required by this database driver cfg, err := mysql.ParseDSN(strings.TrimPrefix(subname, "//")) if err == nil { @@ -62,7 +71,7 @@ func parseMySQL(subname string) (jdbc, error) { conn: subname[2:], userPass: cfg.User + ":" + cfg.Passwd, host: fmt.Sprintf("tcp(%s)", cfg.Addr), - params: "timeout=5s", + params: params, }, nil } @@ -95,7 +104,7 @@ func parseMySQL(subname string) (jdbc, error) { conn: subname[2:], userPass: userAndPass, host: fmt.Sprintf("tcp(%s)", u.Host), - params: "timeout=5s", + params: params, }, nil } diff --git a/pkg/detectors/jdbc/postgres.go b/pkg/detectors/jdbc/postgres.go index c9b678bd7..3c8b1090f 100644 --- a/pkg/detectors/jdbc/postgres.go +++ b/pkg/detectors/jdbc/postgres.go @@ -8,6 +8,8 @@ import ( "strings" "github.com/lib/pq" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" ) type postgresJDBC struct { @@ -88,7 +90,9 @@ func parsePostgres(subname string) (jdbc, error) { } } - if v := u.Query()["sslmode"]; len(v) > 0 { + if !common.VerifySsl { + params["sslmode"] = "disable" + } else if v := u.Query()["sslmode"]; len(v) > 0 { switch v[0] { // https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION case "disable", "allow", "prefer", diff --git a/pkg/detectors/jdbc/sqlserver.go b/pkg/detectors/jdbc/sqlserver.go index 23629c128..19fe8e725 100644 --- a/pkg/detectors/jdbc/sqlserver.go +++ b/pkg/detectors/jdbc/sqlserver.go @@ -7,6 +7,8 @@ import ( "strings" mssql "github.com/microsoft/go-mssqldb" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" ) type sqlServerJDBC struct { @@ -66,6 +68,6 @@ func parseSqlServer(subname string) (jdbc, error) { } } return &sqlServerJDBC{ - connStr: fmt.Sprintf("sqlserver://sa:%s@%s:%s?database=master&connection+timeout=5", password, host, port), + connStr: fmt.Sprintf("sqlserver://sa:%s@%s:%s?database=master&connection+timeout=5&TrustServerCertificate=%t", password, host, port, common.VerifySsl), }, nil }