security: CWE-295: Fix TLS bypass persistent vulnerability — VC-53780

[torresashjiancyber]

Summary

Fixes CWE-295 (Improper Certificate Validation) by addressing two defects in certificate validation bypass:

1. Process-global policy leak (PS5.1): The module now captures and restores the original certificate policy in a finally block, preventing the accept-all policy from persisting beyond the intended request.

2. Silent vault metadata restoration: The module now emits Write-Warning when SkipCertificateCheck is restored from vault metadata, making the security downgrade visible to operators and in CI logs.

Finding

CWE-295: Improper Certificate Validation

• CVSS: 6.3 (High)
• Files affected:
  • VenafiPS/Public/Invoke-TrustRestMethod.ps1
  • VenafiPS/Private/Invoke-TrustGraphQL.ps1
  • VenafiPS/Public/New-TrustClient.ps1

Defect 1: Process-Global Certificate Policy

On Windows PowerShell 5.1, when -SkipCertificateCheck is used, the module assigns a permanent accept-all ICertificatePolicy to the process-global [System.Net.ServicePointManager]::CertificatePolicy with no restoration. This causes every subsequent HTTPS call in the process (to any server) to silently accept forged certificates.

Defect 2: Silent Vault Metadata Persistence

When a session is saved with -VaultAccessTokenName/-VaultRefreshTokenName, the SkipCertificateCheck flag is persisted to vault metadata and silently re-applied on every future session restore, even months later and without any visible indication on the command line.

Remediation

Fix for Defect 1 (Process-Global Policy Leak)

Files: Invoke-TrustRestMethod.ps1, Invoke-TrustGraphQL.ps1

• Initialize $originalCertificatePolicy = $null before the certificate check block
• Capture the existing policy: $originalCertificatePolicy = [System.Net.ServicePointManager]::CertificatePolicy
• Restore it in the existing finally block that already restores $ProgressPreference

The accept-all policy is now only in force for the duration of the single Invoke-WebRequest/Invoke-RestMethod call.

Fix for Defect 2 (Silent Vault Restore)

File: New-TrustClient.ps1

Added Write-Warning immediately after restored SkipCertificateCheck is applied in both VaultAccessToken and VaultRefreshToken parameter sets (2 locations):

if ( $newClient.SkipCertificateCheck ) {
    Write-Warning 'SkipCertificateCheck was restored from vault metadata; TLS server certificate validation is DISABLED for this session.'
}

The flag is still honored (no behavior change for operators who deliberately seeded it), but the downgrade is now visible in interactive consoles and CI logs.

Verification

Changes Applied:

• 3 files modified, 16 lines added
• No new dependencies or types introduced
• Uses only existing PowerShell built-ins (Write-Warning, $null checks)

Impact:

• ✅ PS7+ path unchanged (uses per-request -SkipCertificateCheck)
• ✅ PS5.1 path: certificate bypass still works for intended requests, but no longer leaks to other hosts
• ✅ Vault restore: explicit warning emitted when security downgrade is applied
• ✅ No behavior change when SkipCertificateCheck is not used or not stored in vault

Testing:

• Module does not have traditional build/test infrastructure
• Static verification confirms:
  • finally block brace balance preserved
  • Indentation matches surrounding context
  • No syntax errors introduced
  • All existing code paths preserved

---

🤖 Generated by Project Logos Pattern-C security remediation