Skip to content

[NEW QUERY] Detect global SSL certificate validation bypass in C##2

Open
Copilot wants to merge 3 commits intomainfrom
copilot/fix-global-ssl-disable
Open

[NEW QUERY] Detect global SSL certificate validation bypass in C##2
Copilot wants to merge 3 commits intomainfrom
copilot/fix-global-ssl-disable

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 26, 2026
edited
Loading

📝 Query Information

  • Language: C#
  • Query ID: csharp/web/insecure-ssl-validation
  • Category: security
  • Severity: error (8.1/10)
  • CWE/CVE (if applicable): CWE-295 (Improper Certificate Validation)

🎯 Description

What This Query Detects

Assignments to ServicePointManager.ServerCertificateValidationCallback that unconditionally return true, disabling SSL/TLS certificate validation globally and exposing all HTTPS requests to MITM attacks.

Example Vulnerable Code

// Lambda always returning true
ServicePointManager.ServerCertificateValidationCallback += 
    (sender, certificate, chain, sslPolicyErrors) => true;

// Method reference to unconditional true
ServicePointManager.ServerCertificateValidationCallback = AlwaysAccept;

private static bool AlwaysAccept(object sender, X509Certificate cert, 
    X509Chain chain, SslPolicyErrors errors) => true;

Example Safe Code

// Actual validation logic
ServicePointManager.ServerCertificateValidationCallback = 
    (sender, cert, chain, errors) => {
        if (errors == SslPolicyErrors.None) return true;
        
        // Development-only: validate specific thumbprint
        return IsDevelopment && 
               cert.GetCertHashString() == KnownDevCertThumbprint;
    };

// Or null (reset to default behavior)
ServicePointManager.ServerCertificateValidationCallback = null;

🧪 Testing

  • Positive test cases included
  • Negative test cases included
  • Edge cases covered
  • All tests pass

📋 Checklist

  • Query compiles without errors
  • Documentation complete (.md and .qhelp)
  • Metadata properly set (@name, @id, @kind, etc.)
  • Tests validate query behavior
  • No false positives in test cases

🔗 References

Note: This query was developed using Test-Driven Development methodology.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Query Create]:</issue_title>
<issue_description>### Target Language

csharp

Query Name (Optional)

Global SSL disable

Query Type

Security

Query Description

A huge anti pattern in .net is to set the global SSL config to always return true - this impacts all subsqueent requests.

Expected Severity

High

Code Examples

// Source - https://stackoverflow.com/a/18624335
// Posted by Adam Venezia, modified by community. See post 'Timeline' for change history
// Retrieved 2026-01-26, License - CC BY-SA 3.0

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

CWE/CVE Reference (Optional)

(help me figure this out!)

References (Optional)

https://stackoverflow.com/a/18624335

Code of Conduct

  • I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI added 2 commits January 26, 2026 20:45
Add GlobalSslDisable security query for C#
0ddcc51 
- Detects when ServicePointManager.ServerCertificateValidationCallback is set to always return true
- Identifies lambda expressions and method references that unconditionally return true
- Prevents man-in-the-middle attacks by flagging disabled SSL certificate validation
- Includes comprehensive test cases covering lambdas, delegates, and expression-bodied methods
- CWE-295: Improper Certificate Validation
- Security severity: 8.1 (High)
Remove unused getCallback() method from GlobalSslDisable class
f2d0a51 
Addressed code review feedback - removed unused method that was defined but never called.
Copilot AI changed the title [WIP] Fix global SSL configuration to prevent always returning true [NEW QUERY] Detect global SSL certificate validation bypass in C# Jan 26, 2026
Copilot AI requested a review from felickz January 26, 2026 20:57
@felickz felickz marked this pull request as ready for review February 3, 2026 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felickz felickz Awaiting requested review from felickz

Assignees

@felickz felickz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Query Create]: C# - Global SSL disable is bad

2 participants

@felickz