use require as default ssl mode, try disable if ssl not enabled

trufflesecurity · Jan 10, 2024 · a7af51d · a7af51d
1 parent 155538e
commit a7af51d
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pkg/detectors/postgres/postgres.go b/pkg/detectors/postgres/postgres.go
@@ -240,14 +240,19 @@ func verifyPostgres(pgURL *url.URL, timeoutInSeconds int) (bool, error) {
 		return false, nil
 	}
 
+	// if ssl is not enabled, retry with sslmode=disable
+	if strings.Contains(err.Error(), "SSL is not enabled on the server") {
+		pgURL.RawQuery = fmt.Sprintf("sslmode=%s", "disable")
+		return verifyPostgres(pgURL, timeoutInSeconds)
+	}
 	return false, err
 }
 
 func determineSSLMode(pgURL *url.URL) string {
 	// default ssl mode is "prefer" per https://www.postgresql.org/docs/current/libpq-ssl.html
 	// but is currently not implemented in the driver per https://github.com/lib/pq/issues/1006
 	// default to "disable" for now as it is the least restrictive
-	sslmode := "disable"
+	sslmode := "require"
 	if sslQuery, ok := pgURL.Query()["sslmode"]; ok && len(sslQuery) > 0 {
 		sslmode = sslQuery[0]
 	}