python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation
Community Favorite
semgrep
Author
10,743
Download Count*
License
certificate verification explicitly disabled, insecure connections possible
Run Locally
Run in CI
Defintion
rules:
- id: disabled-cert-validation
patterns:
- pattern-either:
- pattern: urllib3.PoolManager(..., cert_reqs=$REQS, ...)
- pattern: urllib3.ProxyManager(..., cert_reqs=$REQS, ...)
- pattern: urllib3.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)
- pattern: urllib3.connectionpool.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)
- pattern: urllib3.connection_from_url(..., cert_reqs=$REQS, ...)
- pattern: urllib3.proxy_from_url(..., cert_reqs=$REQS, ...)
- pattern: $CONTEXT.wrap_socket(..., cert_reqs=$REQS, ...)
- pattern: ssl.wrap_socket(..., cert_reqs=$REQS, ...)
- metavariable-regex:
metavariable: $REQS
regex: (NONE|CERT_NONE|CERT_OPTIONAL|ssl\.CERT_NONE|ssl\.CERT_OPTIONAL|\'NONE\'|\"NONE\"|\'OPTIONAL\'|\"OPTIONAL\")
message: certificate verification explicitly disabled, insecure connections possible
metadata:
cwe:
- "CWE-295: Improper Certificate Validation"
owasp:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
category: security
technology:
- python
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- python
severity: ERROR
Examples
disabled-cert-validation.py
import urllib3 as ur3
import ssl as sss
import socket
import ssl
# from https://docs.python.org/3/library/ssl.html
hostname = 'www.python.org'
context = sss.create_default_context()
with socket.create_connection((hostname, 443)) as sock:
# ok:disabled-cert-validation
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
print(ssock.version())
with socket.create_connection((hostname, 443)) as sock:
# ruleid:disabled-cert-validation
with context.wrap_socket(sock, server_hostname=hostname, cert_reqs = ssl.CERT_NONE) as ssock:
print(ssock.version())
with socket.create_connection((hostname, 443)) as sock:
# ruleid:disabled-cert-validation
with context.wrap_socket(sock, server_hostname=hostname, cert_reqs = ssl.CERT_NONE) as ssock:
print(ssock.version())
from urllib3 import PoolManager
manager = PoolManager(10)
r = manager.request('GET', 'http://google.com/')
# ruleid:disabled-cert-validation
manager = PoolManager(10, cert_reqs = ssl.CERT_OPTIONAL)
# ruleid:disabled-cert-validation
proxy = ur3.ProxyManager('http://localhost:3128/', cert_reqs = ssl.CERT_NONE)
# ruleid:disabled-cert-validation
pool = ur3.connectionpool.HTTPSConnectionPool(cert_reqs=ssl.CERT_OPTIONAL)
# ruleid:disabled-cert-validation
pool = ur3.connection_from_url('someurl', cert_reqs= ssl.CERT_NONE)
# ruleid:disabled-cert-validation
pool = ur3.connection_from_url('someurl', cert_reqs='NONE')
# ok:disabled-cert-validation
pool = ur3.connection_from_url('someurl', cert_reqs='CERT NONE')
# ruleid:disabled-cert-validation
pool = ur3.connection_from_url('someurl', cert_reqs="NONE")
# ok:disabled-cert-validation
pool = ur3.connection_from_url('someurl', cert_reqs= 'CERT_REQUIRED')
# ruleid:disabled-cert-validation
pool = ur3.proxy_from_url('someurl', cert_reqs= ssl.CERT_NONE)
# ok:disabled-cert-validation
pool = ur3.proxy_from_url('someurl', cert_reqs= ssl.CERT_REQUIED)
# ok:disabled-cert-validation
pool = ur3.proxy_from_url('someurl', cert_reqs=None)
Short Link: https://sg.run/b7yp