python.requests.security.disabled-cert-validation.disabled-cert-validation

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
121,847
Download Count*

Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.

Run Locally

Run in CI

Defintion

rules:
  - id: disabled-cert-validation
    message: Certificate verification has been explicitly disabled. This permits
      insecure connections to insecure servers. Re-enable certification
      validation.
    metadata:
      cwe:
        - "CWE-295: Improper Certificate Validation"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib
      category: security
      technology:
        - requests
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: ERROR
    pattern-either:
      - pattern: requests.put(..., verify=False, ...)
      - pattern: requests.patch(..., verify=False, ...)
      - pattern: requests.delete(..., verify=False, ...)
      - pattern: requests.head(..., verify=False, ...)
      - pattern: requests.options(..., verify=False, ...)
      - pattern: requests.request(..., verify=False, ...)
      - pattern: requests.get(..., verify=False, ...)
      - pattern: requests.post(..., verify=False, ...)
    fix-regex:
      regex: verify(\s)*=(\s)*False
      replacement: verify=True

Examples

disabled-cert-validation.py


import requests as req
import requests

some_url = "https://example.com"

# ok:disabled-cert-validation
r = req.get(some_url, stream=True)
# ok:disabled-cert-validation
r = requests.post(some_url, stream=True)

# ruleid:disabled-cert-validation
r = req.get(some_url, stream=True, verify=False)
# ruleid:disabled-cert-validation
r = requests.post(some_url, stream=True, verify=False)
# ruleid:disabled-cert-validation
r = requests.post(some_url, verify=False, stream=True)