Merge "Blacklist call of ssl._create_unverified_context"
This commit is contained in:
commit
a23af1b72d
|
@ -173,6 +173,7 @@ Usage::
|
|||
B320 xml_bad_etree
|
||||
B321 ftplib
|
||||
B322 input
|
||||
B323 unverified_context
|
||||
B401 import_telnetlib
|
||||
B402 import_ftplib
|
||||
B403 import_pickle
|
||||
|
|
|
@ -278,6 +278,20 @@ is safe in Python 3.
|
|||
| B322 | input | - input | High |
|
||||
+------+---------------------+------------------------------------+-----------+
|
||||
|
||||
B323: unverified_context
|
||||
------------------------
|
||||
|
||||
By default, Python will create a secure, verified ssl context for use in such
|
||||
classes as HTTPSConnection. However, it still allows using an insecure
|
||||
context via the _create_unverified_context that reverts to the previous
|
||||
behavior that does not validate certificates or perform hostname checks.
|
||||
|
||||
+------+---------------------+------------------------------------+-----------+
|
||||
| ID | Name | Calls | Severity |
|
||||
+======+=====================+====================================+===========+
|
||||
| B322 | unverified_context | - ssl._create_unverified_context | Medium |
|
||||
+------+---------------------+------------------------------------+-----------+
|
||||
|
||||
"""
|
||||
|
||||
from bandit.blacklists import utils
|
||||
|
@ -509,4 +523,13 @@ def gen_blacklist():
|
|||
'HIGH'
|
||||
))
|
||||
|
||||
sets.append(utils.build_conf_dict(
|
||||
'unverified_context', 'B323', ['ssl._create_unverified_context'],
|
||||
'By default, Python will create a secure, verified ssl context for '
|
||||
'use in such classes as HTTPSConnection. However, it still allows '
|
||||
'using an insecure context via the _create_unverified_context that '
|
||||
'reverts to the previous behavior that does not validate certificates '
|
||||
'or perform hostname checks.'
|
||||
))
|
||||
|
||||
return {'Call': sets}
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
import ssl
|
||||
|
||||
# Correct
|
||||
context = ssl.create_default_context()
|
||||
|
||||
# Incorrect: unverified context
|
||||
context = ssl._create_unverified_context()
|
|
@ -689,3 +689,11 @@ class FunctionalTests(testtools.TestCase):
|
|||
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
|
||||
}
|
||||
self.check_example('input.py', expect)
|
||||
|
||||
def test_unverified_context(self):
|
||||
'''Test for `ssl._create_unverified_context`.'''
|
||||
expect = {
|
||||
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
|
||||
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
|
||||
}
|
||||
self.check_example('unverified_context.py', expect)
|
||||
|
|
Loading…
Reference in New Issue