feat: add flag to disable ssl verify

2024-09-20 06:31:57 +00:00 · 2024-06-02 11:01:48 -04:00 · 2024-06-02 11:01:48 -04:00 · ea06b397bb
commit ea06b397bb
parent 980d783ac9
5 changed files with 50 additions and 18 deletions
--- a/main.go
+++ b/main.go
@ -68,6 +68,7 @@ var (
 	includeDetectors     = cli.Flag("include-detectors", "Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.").Default("all").String()
 	excludeDetectors     = cli.Flag("exclude-detectors", "Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.").String()
 	jobReportFile        = cli.Flag("output-report", "Write a scan report to the provided path.").Hidden().OpenFile(os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666)
+	SslVerify            = cli.Flag("ssl-verify", "Whether to verify the SSL certificates when making requests.").Default("true").Bool()

 	gitScan             = cli.Command("git", "Find credentials in git repositories.")
 	gitScanURI          = gitScan.Arg("uri", "Git repository URL. https://, file://, or ssh:// schema expected.").Required().String()
@ -250,12 +251,18 @@ func init() {

 	cmd = kingpin.MustParse(cli.Parse(os.Args[1:]))

+	// Configure log level.
 	switch {
 	case *trace:
 		log.SetLevel(5)
 	case *debug:
 		log.SetLevel(2)
 	}
+
+	// Disable certificate validation, if specified.
+	if !*SslVerify {
+		common.VerifySsl = false
+	}
 }

 func main() {
--- a/pkg/common/http.go
+++ b/pkg/common/http.go
@ -196,23 +196,33 @@ func RetryableHTTPClientTimeout(timeOutSeconds int64, opts ...ClientOption) *htt

 const DefaultResponseTimeout = 5 * time.Second

-var saneTransport = &http.Transport{
-	Proxy: http.ProxyFromEnvironment,
-	DialContext: (&net.Dialer{
-		Timeout:   2 * time.Second,
-		KeepAlive: 5 * time.Second,
-	}).DialContext,
-	MaxIdleConns:          5,
-	IdleConnTimeout:       5 * time.Second,
-	TLSHandshakeTimeout:   3 * time.Second,
-	ExpectContinueTimeout: 1 * time.Second,
+var VerifySsl = true
+
+func saneTransport() *http.Transport {
+	t := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   2 * time.Second,
+			KeepAlive: 5 * time.Second,
+		}).DialContext,
+		MaxIdleConns:          5,
+		IdleConnTimeout:       5 * time.Second,
+		TLSHandshakeTimeout:   3 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	// Disable TLS certificate validation.
+	if !VerifySsl {
+		t.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+	return t
 }

 func SaneHttpClient() *http.Client {
-	httpClient := &http.Client{}
-	httpClient.Timeout = DefaultResponseTimeout
-	httpClient.Transport = NewCustomTransport(saneTransport)
-	return httpClient
+	client := &http.Client{}
+	client.Timeout = DefaultResponseTimeout
+	client.Transport = NewCustomTransport(saneTransport())
+	return client
 }

 // SaneHttpClientTimeOut adds a custom timeout for some scanners
--- a/pkg/detectors/jdbc/mysql.go
+++ b/pkg/detectors/jdbc/mysql.go
@ -8,6 +8,8 @@ import (
 	"strings"

 	"github.com/go-sql-driver/mysql"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 )

 type mysqlJDBC struct {
@ -49,12 +51,19 @@ func isMySQLErrorDeterminate(err error) bool {
 	return false
 }

+const defaultParams = "timeout=5s"
+
 func parseMySQL(subname string) (jdbc, error) {
 	// expected form: [subprotocol:]//[user:password@]HOST[/DB][?key=val[&key=val]]
 	if !strings.HasPrefix(subname, "//") {
 		return nil, errors.New("expected host to start with //")
 	}

+	params := defaultParams
+	if !common.VerifySsl {
+		params = defaultParams + "&tls=skip-verify"
+	}
+
 	// need for hostnames that have tcp(host:port) format required by this database driver
 	cfg, err := mysql.ParseDSN(strings.TrimPrefix(subname, "//"))
 	if err == nil {
@ -62,7 +71,7 @@ func parseMySQL(subname string) (jdbc, error) {
 			conn:     subname[2:],
 			userPass: cfg.User + ":" + cfg.Passwd,
 			host:     fmt.Sprintf("tcp(%s)", cfg.Addr),
-			params:   "timeout=5s",
+			params:   params,
 		}, nil
 	}

@ -95,7 +104,7 @@ func parseMySQL(subname string) (jdbc, error) {
 		conn:     subname[2:],
 		userPass: userAndPass,
 		host:     fmt.Sprintf("tcp(%s)", u.Host),
-		params:   "timeout=5s",
+		params:   params,
 	}, nil

 }
--- a/pkg/detectors/jdbc/postgres.go
+++ b/pkg/detectors/jdbc/postgres.go
@ -8,6 +8,8 @@ import (
 	"strings"

 	"github.com/lib/pq"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 )

 type postgresJDBC struct {
@ -88,7 +90,9 @@ func parsePostgres(subname string) (jdbc, error) {
 		}
 	}

-	if v := u.Query()["sslmode"]; len(v) > 0 {
+	if !common.VerifySsl {
+		params["sslmode"] = "disable"
+	} else if v := u.Query()["sslmode"]; len(v) > 0 {
 		switch v[0] {
 		// https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
 		case "disable", "allow", "prefer",
--- a/pkg/detectors/jdbc/sqlserver.go
+++ b/pkg/detectors/jdbc/sqlserver.go
@ -7,6 +7,8 @@ import (
 	"strings"

 	mssql "github.com/microsoft/go-mssqldb"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 )

 type sqlServerJDBC struct {
@ -66,6 +68,6 @@ func parseSqlServer(subname string) (jdbc, error) {
 		}
 	}
 	return &sqlServerJDBC{
-		connStr: fmt.Sprintf("sqlserver://sa:%s@%s:%s?database=master&connection+timeout=5", password, host, port),
+		connStr: fmt.Sprintf("sqlserver://sa:%s@%s:%s?database=master&connection+timeout=5&TrustServerCertificate=%t", password, host, port, common.VerifySsl),
 	}, nil
 }