From e40af23ff67fc89f024c5a73f93c8d9a0b43caa3 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 20 Feb 2017 12:06:19 -0800 Subject: [PATCH] Blacklist call of ssl._create_unverified_context The ssl._create_unverified_context creates a context for use with such classes as HTTPSConnection which will do no certificate or hostname verification. This should be flagged. Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142 --- README.rst | 1 + bandit/blacklists/calls.py | 23 +++++++++++++++++++++++ examples/unverified_context.py | 7 +++++++ tests/functional/test_functional.py | 8 ++++++++ 4 files changed, 39 insertions(+) create mode 100644 examples/unverified_context.py diff --git a/README.rst b/README.rst index b7f4ba9a..d3e4ba0f 100644 --- a/README.rst +++ b/README.rst @@ -173,6 +173,7 @@ Usage:: B320 xml_bad_etree B321 ftplib B322 input + B323 unverified_context B401 import_telnetlib B402 import_ftplib B403 import_pickle diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index 47858ca3..075bdce1 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -278,6 +278,20 @@ is safe in Python 3. | B322 | input | - input | High | +------+---------------------+------------------------------------+-----------+ +B323: unverified_context +------------------------ + +By default, Python will create a secure, verified ssl context for use in such +classes as HTTPSConnection. However, it still allows using an insecure +context via the _create_unverified_context that reverts to the previous +behavior that does not validate certificates or perform hostname checks. + ++------+---------------------+------------------------------------+-----------+ +| ID | Name | Calls | Severity | ++======+=====================+====================================+===========+ +| B322 | unverified_context | - ssl._create_unverified_context | Medium | ++------+---------------------+------------------------------------+-----------+ + """ from bandit.blacklists import utils @@ -509,4 +523,13 @@ def gen_blacklist(): 'HIGH' )) + sets.append(utils.build_conf_dict( + 'unverified_context', 'B323', ['ssl._create_unverified_context'], + 'By default, Python will create a secure, verified ssl context for ' + 'use in such classes as HTTPSConnection. However, it still allows ' + 'using an insecure context via the _create_unverified_context that ' + 'reverts to the previous behavior that does not validate certificates ' + 'or perform hostname checks.' + )) + return {'Call': sets} diff --git a/examples/unverified_context.py b/examples/unverified_context.py new file mode 100644 index 00000000..0f454395 --- /dev/null +++ b/examples/unverified_context.py @@ -0,0 +1,7 @@ +import ssl + +# Correct +context = ssl.create_default_context() + +# Incorrect: unverified context +context = ssl._create_unverified_context() diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 5667001d..45224817 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -689,3 +689,11 @@ class FunctionalTests(testtools.TestCase): 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1} } self.check_example('input.py', expect) + + def test_unverified_context(self): + '''Test for `ssl._create_unverified_context`.''' + expect = { + 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}, + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1} + } + self.check_example('unverified_context.py', expect)