Skip to content

Detect verify=False on Session/Client instance methods in B501#1411

Open
jonasboos wants to merge 2 commits into
PyCQA:mainfrom
jonasboos:fix-1394-b501-instance-methods
Open

Detect verify=False on Session/Client instance methods in B501#1411
jonasboos wants to merge 2 commits into
PyCQA:mainfrom
jonasboos:fix-1394-b501-instance-methods

Conversation

@jonasboos

Copy link
Copy Markdown

Problem

B501 only detects verify=False on module-level calls like requests.get() and httpx.get(), but misses the equally insecure pattern of calling verify=False on Session or Client instances.

As reported in #1394, code like this goes undetected:

import requests
session = requests.Session()
session.get("https://example.com", verify=False)  # Not flagged

import httpx
client = httpx.Client()
client.get("https://example.com", verify=False)  # Not flagged

Fix

Add a second check: when requests or httpx is imported and an HTTP verb is called with verify=False on any object, flag it as a HIGH severity, MEDIUM confidence issue.

The confidence is MEDIUM (rather than HIGH for module-level calls) because we cannot statically verify the object is actually a Session/Client instance. However, the combination of an HTTP verb + verify=False + the module being imported makes false positives unlikely.

Testing

  • Added session/client instance method examples to the test file
  • Updated functional test expectations
  • All unit and functional tests pass

Resolves: #1394

B501 only detected verify=False on module-level calls like
requests.get() and httpx.get(), but missed the equally insecure
pattern of calling verify=False on Session or Client instances
(e.g., session.get(verify=False), client.post(verify=False)).

Add a second check: when requests or httpx is imported and an HTTP
verb is called with verify=False on any object, flag it as a MEDIUM
confidence issue (since we can't statically verify the object type).

Resolves: PyCQA#1394
Copilot AI review requested due to automatic review settings May 10, 2026 19:16

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends Bandit plugin B501 (missing certificate validation) to detect insecure verify=False usage not only on module-level calls (e.g., requests.get(...)) but also on likely Session/Client instance method calls (e.g., session.get(..., verify=False)), and updates functional expectations/examples accordingly.

Changes:

  • Add a new B501 detection path for HTTP-verb calls with verify=False when requests or httpx is imported (MEDIUM confidence).
  • Expand the requests-ssl-verify-disabled.py example to include Session/Client instance method calls.
  • Update functional test expectations to account for the additional findings and confidence distribution.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
tests/functional/test_functional.py Updates expected B501 severity/confidence counts for the expanded example coverage.
examples/requests-ssl-verify-disabled.py Adds new example cases for requests.Session / httpx.Client instance-method calls with verify=False.
bandit/plugins/crypto_request_no_cert_validation.py Adds a second detection branch to flag likely instance method calls using verify=False with MEDIUM confidence.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +83 to +85
# verify=False on any object, it's likely a Session/Client method.
if (
context.call_function_name in HTTP_VERBS
Comment on lines +84 to +90
if (
context.call_function_name in HTTP_VERBS
and context.check_call_arg_value("verify", "False")
):
if context.is_module_imported_exact(
"requests"
) or context.is_module_imported_exact("httpx"):
Comment on lines +89 to +94
"requests"
) or context.is_module_imported_exact("httpx"):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
cwe=issue.Cwe.IMPROPER_CERT_VALIDATION,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

False negative: B501 misses verify=False on requests.Session / httpx.Client instance methods

2 participants