Detect verify=False on Session/Client instance methods in B501#1411
Open
jonasboos wants to merge 2 commits into
Open
Detect verify=False on Session/Client instance methods in B501#1411jonasboos wants to merge 2 commits into
jonasboos wants to merge 2 commits into
Conversation
B501 only detected verify=False on module-level calls like requests.get() and httpx.get(), but missed the equally insecure pattern of calling verify=False on Session or Client instances (e.g., session.get(verify=False), client.post(verify=False)). Add a second check: when requests or httpx is imported and an HTTP verb is called with verify=False on any object, flag it as a MEDIUM confidence issue (since we can't statically verify the object type). Resolves: PyCQA#1394
for more information, see https://pre-commit.ci
There was a problem hiding this comment.
Pull request overview
This PR extends Bandit plugin B501 (missing certificate validation) to detect insecure verify=False usage not only on module-level calls (e.g., requests.get(...)) but also on likely Session/Client instance method calls (e.g., session.get(..., verify=False)), and updates functional expectations/examples accordingly.
Changes:
- Add a new B501 detection path for HTTP-verb calls with
verify=Falsewhenrequestsorhttpxis imported (MEDIUM confidence). - Expand the
requests-ssl-verify-disabled.pyexample to include Session/Client instance method calls. - Update functional test expectations to account for the additional findings and confidence distribution.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tests/functional/test_functional.py | Updates expected B501 severity/confidence counts for the expanded example coverage. |
| examples/requests-ssl-verify-disabled.py | Adds new example cases for requests.Session / httpx.Client instance-method calls with verify=False. |
| bandit/plugins/crypto_request_no_cert_validation.py | Adds a second detection branch to flag likely instance method calls using verify=False with MEDIUM confidence. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+83
to
+85
| # verify=False on any object, it's likely a Session/Client method. | ||
| if ( | ||
| context.call_function_name in HTTP_VERBS |
Comment on lines
+84
to
+90
| if ( | ||
| context.call_function_name in HTTP_VERBS | ||
| and context.check_call_arg_value("verify", "False") | ||
| ): | ||
| if context.is_module_imported_exact( | ||
| "requests" | ||
| ) or context.is_module_imported_exact("httpx"): |
Comment on lines
+89
to
+94
| "requests" | ||
| ) or context.is_module_imported_exact("httpx"): | ||
| return bandit.Issue( | ||
| severity=bandit.HIGH, | ||
| confidence=bandit.MEDIUM, | ||
| cwe=issue.Cwe.IMPROPER_CERT_VALIDATION, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
B501 only detects
verify=Falseon module-level calls likerequests.get()andhttpx.get(), but misses the equally insecure pattern of callingverify=Falseon Session or Client instances.As reported in #1394, code like this goes undetected:
Fix
Add a second check: when
requestsorhttpxis imported and an HTTP verb is called withverify=Falseon any object, flag it as a HIGH severity, MEDIUM confidence issue.The confidence is MEDIUM (rather than HIGH for module-level calls) because we cannot statically verify the object is actually a Session/Client instance. However, the combination of an HTTP verb +
verify=False+ the module being imported makes false positives unlikely.Testing
Resolves: #1394