python.lang.security.unverified-ssl-context.unverified-ssl-context
Verifed by r2c
Community Favorite
returntocorpAuthor
99,223
Download Count*
License
Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.
Run Locally
Run in CI
Defintion
rules:
- id: unverified-ssl-context
patterns:
- pattern-either:
- pattern: ssl._create_unverified_context(...)
- pattern: ssl._create_default_https_context = ssl._create_unverified_context
fix-regex:
regex: _create_unverified_context
replacement: create_default_context
message: Unverified SSL context detected. This will permit insecure connections
without verifying SSL certificates. Use 'ssl.create_default_context'
instead.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
cwe:
- "CWE-295: Improper Certificate Validation"
references:
- https://docs.python.org/3/library/ssl.html#ssl-security
- https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
category: security
technology:
- python
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: ERROR
languages:
- python
Examples
unverified-ssl-context.py
import ssl
import httplib.client
# ok:unverified-ssl-context
context = ssl.create_default_context()
conn = httplib.client.HTTPSConnection("123.123.21.21", context=context)
# ruleid:unverified-ssl-context
context = ssl._create_unverified_context()
conn = httplib.client.HTTPSConnection("123.123.21.21", context=context)
# ruleid:unverified-ssl-context
conn = httplib.client.HTTPSConnection("123.123.21.21", context=ssl._create_unverified_context())
# ruleid:unverified-ssl-context
ssl._create_default_https_context = ssl._create_unverified_context
urllib2.urlopen("https://google.com").read()
Short Link: https://sg.run/N4lp