Rust: New Query rust/disabled-certificate-check

rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected

@@ -11,6 +11,7 @@ ql/rust/ql/src/queries/diagnostics/UnresolvedMacroCalls.ql
 ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
+ql/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql

rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected

@@ -12,6 +12,7 @@ ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
+ql/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql

rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected

@@ -12,6 +12,7 @@ ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
+ql/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql

rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll

@@ -0,0 +1,42 @@
+/**
+ * Provides classes and predicates for reasoning about disabled certificate
+ * check vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+
+/**
+ * Provides default sinks for detecting disabled certificate check
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module DisabledCertificateCheckExtensions {
+  /**
+   * A data flow sink for disabled certificate check vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "DisabledCertificateCheck" }
+  }
+
+  /**
+   * A default sink for disabled certificate check vulnerabilities based on function names.
+   */
+  private class DefaultSink extends Sink {
+    DefaultSink() {
+      exists(CallExprBase fc |
+        fc.getStaticTarget().(Function).getName().getText() =
+          ["danger_accept_invalid_certs", "danger_accept_invalid_hostnames"] and
+        fc.getArg(0) = this.asExpr().getExpr()
+      )
+    }
+  }
+
+  /**
+   * A sink for disabled certificate check vulnerabilities from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "disable-certificate") }
+  }
+}

rust/ql/src/change-notes/2025-11-12-disabled-certificate-check.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `rust/disabled-certificate-check`, to detect disabled TLS certificate checks.

rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+The <code>danger_accept_invalid_certs</code> option on TLS connectors and HTTP clients controls whether certificate verification is performed. If this option is set to <code>true</code>, the client will accept any certificate, making it susceptible to man-in-the-middle attacks.
+</p>
+<p>
+Similarly, the <code>danger_accept_invalid_hostnames</code> option controls whether hostname verification is performed. If this option is set to <code>true</code>, the client will accept any valid certificate regardless of the site that certificate is for, again making it susceptible to man-in-the-middle attacks.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Do not set <code>danger_accept_invalid_certs</code> or <code>danger_accept_invalid_hostnames</code> to <code>true</code>, except in controlled environments such as tests. In production, always ensure certificate and hostname verification is enabled to prevent security risks.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following code snippet shows a function that creates an HTTP client with certificate verification disabled:
+</p>
+<sample src="DisabledCertificateCheckBad.rs"/>
+<p>
+In production code, always configure clients to verify certificates:
+</p>
+<sample src="DisabledCertificateCheckGood.rs"/>
+</example>
+<references>
+<li>
+Rust native-tls crate: <a href="https://docs.rs/native-tls/latest/native_tls/struct.TlsConnectorBuilder.html">TlsConnectorBuilder</a>.
+</li>
+<li>
+Rust reqwest crate: <a href="https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html">ClientBuilder</a>.
+</li>
+<li>
+SSL.com: <a href="https://www.ssl.com/article/browsers-and-certificate-validation/">Browsers and Certificate Validation</a>.
+</li>
+</references>
+</qhelp>

rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql

@@ -0,0 +1,41 @@
+/**
+ * @name Disabled TLS certificate check
+ * @description An application that disables TLS certificate checking is more vulnerable to
+ *              man-in-the-middle attacks.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id rust/disabled-certificate-check
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.security.DisabledCertificateCheckExtensions
+
+/**
+ * A taint configuration for disabled TLS certificate checks.
+ */
+module DisabledCertificateCheckConfig implements DataFlow::ConfigSig {
+  import DisabledCertificateCheckExtensions
+
+  predicate isSource(DataFlow::Node node) {
+    node.asExpr().getExpr().(BooleanLiteralExpr).getTextValue() = "true"
+  }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module DisabledCertificateCheckFlow = DataFlow::Global<DisabledCertificateCheckConfig>;
+
+import DisabledCertificateCheckFlow::PathGraph
+
+from
+  DisabledCertificateCheckFlow::PathNode sourceNode, DisabledCertificateCheckFlow::PathNode sinkNode
+where DisabledCertificateCheckFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "Disabling TLS certificate validation can expose the application to man-in-the-middle attacks."

rust/ql/src/queries/security/CWE-295/DisabledCertificateCheckBad.rs

@@ -0,0 +1,6 @@
+// BAD: Disabling certificate validation in Rust
+
+let _client = reqwest::Client::builder()
+    .danger_accept_invalid_certs(true) // disables certificate validation
+    .build()
+    .unwrap();

rust/ql/src/queries/security/CWE-295/DisabledCertificateCheckGood.rs

@@ -0,0 +1,10 @@
+// GOOD: Certificate validation is enabled (default)
+
+let _client = reqwest::Client::builder()
+    .danger_accept_invalid_certs(false) // certificate validation enabled explicitly
+    .build()
+    .unwrap();
+
+let _client = native_tls::TlsConnector::builder() // certificate validation enabled by default
+    .build()
+    .unwrap();

rust/ql/src/queries/summary/Stats.qll

@@ -22,6 +22,7 @@ private import codeql.rust.security.AccessInvalidPointerExtensions
 private import codeql.rust.security.CleartextLoggingExtensions
 private import codeql.rust.security.CleartextStorageDatabaseExtensions
 private import codeql.rust.security.CleartextTransmissionExtensions
+private import codeql.rust.security.DisabledCertificateCheckExtensions
 private import codeql.rust.security.HardcodedCryptographicValueExtensions
 private import codeql.rust.security.InsecureCookieExtensions
 private import codeql.rust.security.LogInjectionExtensions