lintai docs

Appearance

Rule Reference

SEC204lintai-ai-securitystablehookdeny

Hook script: TLS verification disabled

Hook script disables TLS or certificate verification for a network call

Provider
lintai-ai-security
Surface
hook
Scope
per_file
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit TLS verification bypass tokens in executable hook network context.

Deterministic signal basis

HookSignals TLS-bypass token observation over parsed hook line tokens and network context.

Malicious corpus
hook-tls-bypass
Benign corpus
cursor-plugin-tls-verified-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes ithookstable
SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callhookstable
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointhookstable
SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callhookstable
SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes ithookstable
SEC633Hook script: destructive root deletionHook script attempts destructive root deletionhookstable

Why It Matters

Disabling certificate verification removes one of the core trust checks on remote content and services. In hook scripts that often means the hook can be steered by an untrusted network intermediary.

What Triggers

SEC204 applies to executable hook network paths and triggers on explicit TLS-bypass markers such as:

  • curl --insecure
  • wget --no-check-certificate
  • NODE_TLS_REJECT_UNAUTHORIZED=0

Examples that trigger:

sh
curl --insecure https://internal.test/bootstrap.sh -o /tmp/bootstrap.sh
NODE_TLS_REJECT_UNAUTHORIZED=0 node fetch.js https://internal.test/bootstrap.json

Example that stays clean:

sh
curl https://internal.test/bootstrap.sh -o /tmp/bootstrap.sh

False Positives

The rule is structural and token-based. It looks for explicit bypass markers in executable network context, so ordinary secure network usage stays clean.

Remediation

Remove the TLS-bypass flag or environment override and use normal certificate verification. There is no automatic rewrite because the safe replacement depends on the surrounding network flow.