postgres tls - more precise rule

trailofbits · Dec 5, 2024 · 68d5c26 · 68d5c26
1 parent e4ff1ca
commit 68d5c26
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/generic/postgres-insecure-sslmode.sh b/generic/postgres-insecure-sslmode.sh
@@ -1,7 +1,53 @@
 #!/bin/bash
 
+# default sslmode is only "prefer"
+# ruleid: postgres-insecure-sslmode
+psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb
+
+# ruleid: postgres-insecure-sslmode
+psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?something=else"
+
 # ruleid: postgres-insecure-sslmode
 psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=disable
 
+# ruleid: postgres-insecure-sslmode
+psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=PREfered
+
+# "This option is deprecated in favor of the sslmode setting."
+# ruleid: postgres-insecure-sslmode
+psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?requiressl=0
+
+# ruleid: postgres-insecure-sslmode
+psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?ssl=false"
+
 # ok: postgres-insecure-sslmode
 psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require
+
+# ok: postgres-insecure-sslmode
+psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=verify-full&something=else"
+
+# ok: postgres-insecure-sslmode
+psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require&something=else"
+
+# ok: postgres-insecure-sslmode
+psql 'postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require&something=else'
+
+echo '
+# ok: postgres-insecure-sslmode
+postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require&something=else
+'
+
+echo '
+# ok: postgres-insecure-sslmode
+postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require
+'
+
+# "for compatibility with JDBC connection URIs, instances of ssl=true are translated into sslmode=require."
+# ok: postgres-insecure-sslmode
+psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?ssl=true"
+
+# ok: postgres-insecure-sslmode
+psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?ssl=true&something=else"
+
+# ok: postgres-insecure-sslmode
+psql 'postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?requiressl=1'
diff --git a/generic/postgres-insecure-sslmode.yaml b/generic/postgres-insecure-sslmode.yaml
@@ -14,4 +14,13 @@ rules:
       technology: [postgresql]
       references:
         - https://www.postgresql.org/docs/current/libpq-connect.html
-    pattern-regex: "[?&]sslmode=(disable|allow|prefer)"
+    # pattern-regex: "[?&]sslmode=(disable|allow|prefer)"
+    pattern-either:
+      - patterns:
+          - pattern-regex: postgresql://.+$
+          - pattern-not-regex: (?:(.)?)?postgresql://.+[?&]sslmode=(require|verify-ca|verify-full)(?:\g{1}|$|&).*
+          - pattern-not-regex: (?:(.)?)?postgresql://.+[?&]requiressl=1(?:\g{1}|$|&).*
+          - pattern-not-regex: (?:(.)?)?postgresql://.+[?&]ssl=true(?:\g{1}|$|&).*
+      - pattern-regex: postgresql://.+[?&]sslmode=(disable|allow|prefer).*$
+      - pattern-regex: postgresql://.+[?&]requiressl=0.*$
+      - pattern-regex: postgresql://.+[?&]ssl=false.*$