ssl-unverified-context

No tags

The call to _create_unverified_context from the ssl module bypass certificates verification. It should not be used and instead, certificates must be verified.

Ast Rule: function call

How to write a rule

function visit(node) {

  if (!node.context) {
    return;
  }

  if (!node.functionName || node.functionName.value !== "_create_unverified_context") {
    return;
  }
  console.log("here");

  const allPackages = node.context.imports.filter(r => r.packages).flatMap(i => i.packages.map(p => p.name.str));
  const useSslPackage = allPackages.filter(i => i === "ssl").length > 0;

  if (!useSslPackage) {
    return;
  }
  console.log("here");

  if (useSslPackage && node.moduleOrObject && node.moduleOrObject.value === "ssl") {
    const error = buildError(node.start.line, node.start.col,
      node.end.line, node.end.col,
      "use of _create_unverified_context bypass SSL security", "CRITICAL", "SECURITY");

    addError(error);
  }

}

no-error.py

Expected test result: no error

import xmlrpclib
import ssl

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True)
test.list_satellites()

no-ssl-module.py

Expected test result: no error

import xmlrpclib

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True, 
                             context=ssl._create_unverified_context())
test.list_satellites()

has-error.py

Expected test result: has error

import xmlrpclib
import ssl

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True, 
                             context=ssl._create_unverified_context())
test.list_satellites()

Add comment

Be the first one to leave a comment!