Create create_unverified_context.py #3
Found 0 failures, 1 warning, and 0 notices.
The check found 0 failures, 1 warning, and 0 notices. Review the documentation link on each issue to determine how to resolve. Alternatively, false positives can be suppressed. See documentation for details.
Details
PY017: Improper Certificate Validation
Expand for further details
The Python function ssl._create_unverified_context() creates a SSL context
that does not verify the server's certificate. This means that an attacker can
easily impersonate a legitimate server and fool your application into
connecting to it.
If you use ssl._create_unverified_context, you are opening your application
up to a number of security risks, including:
- Man-in-the-middle attacks
- Session hijacking
- Data theft
Example
import ssl
context = ssl._create_unverified_context()??? example "Example Output"
> precli tests/unit/rules/python/stdlib/ssl/examples/create_unverified_context.py ⚠️ Warning on line 4 in tests/unit/rules/python/stdlib/ssl/examples/create_unverified_context.py PY017: Improper Certificate Validation The 'ssl._create_unverified_context' function does not properly validate certificates.
Remediation
If you need to connect to a server over HTTPS, you should use the
ssl.create_default_context() function instead. This function will verify
the server's certificate, which will help to protect your application from
these security risks.
import ssl
context = ssl.create_default_context()Default Configuration
enabled = true
level = "warning"See also
!!! info
- ssl — TLS/SSL wrapper for socket objects
- CWE-295: Improper Certificate Validation
New in version 0.1.0
Precaution v0.7.9
Annotations
Check warning on line 4 in python/stdlib/create_unverified_context.py
precaution / Precaution Unsubscribed
PY017: Improper Certificate Validation
The 'ssl._create_unverified_context' function does not properly
validate certificates.