Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions bandit/plugins/crypto_request_no_cert_validation.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@
.. versionchanged:: 1.7.5
Added check for httpx module

.. versionchanged:: 1.9.5
Added check for requests.Session and httpx.Client instance method calls

"""
import bandit
from bandit.core import issue
Expand All @@ -58,6 +61,7 @@ def request_with_no_cert_validation(context):
HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS
qualname = context.call_function_name_qual.split(".")[0]

# Check module-level calls: requests.get, httpx.get, etc.
if (
qualname == "requests"
and context.call_function_name in HTTP_VERBS
Expand All @@ -73,3 +77,24 @@ def request_with_no_cert_validation(context):
"certificate checks, security issue.",
lineno=context.get_lineno_for_call_arg("verify"),
)

# Check instance method calls: session.get, client.get, etc.
# When requests/httpx is imported and an HTTP verb is called with
# verify=False on any object, it's likely a Session/Client method.
if (
context.call_function_name in HTTP_VERBS
Comment on lines +83 to +85
and context.check_call_arg_value("verify", "False")
):
if context.is_module_imported_exact(
"requests"
) or context.is_module_imported_exact("httpx"):
Comment on lines +84 to +90
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
cwe=issue.Cwe.IMPROPER_CERT_VALIDATION,
Comment on lines +89 to +94
text="Call to {func} with verify=False disabling SSL "
"certificate checks, security issue.".format(
func=context.call_function_name_qual
),
lineno=context.get_lineno_for_call_arg("verify"),
)
19 changes: 19 additions & 0 deletions examples/requests-ssl-verify-disabled.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,22 @@
httpx.Client(timeout=30, verify=False)
httpx.AsyncClient(timeout=30)
httpx.AsyncClient(timeout=30, verify=False)

# Instance method calls (requests.Session)
session = requests.Session()
session.get('https://gmail.com', timeout=30, verify=True)
session.get('https://gmail.com', timeout=30, verify=False)
session.post('https://gmail.com', timeout=30, verify=True)
session.post('https://gmail.com', timeout=30, verify=False)
with requests.Session() as scoped_session:
scoped_session.put('https://gmail.com', timeout=30, verify=True)
scoped_session.put('https://gmail.com', timeout=30, verify=False)
scoped_session.delete('https://gmail.com', timeout=30, verify=True)
scoped_session.delete('https://gmail.com', timeout=30, verify=False)

# Instance method calls (httpx.Client)
client = httpx.Client(timeout=30)
client.get('https://gmail.com', timeout=30, verify=True)
client.get('https://gmail.com', timeout=30, verify=False)
client.post('https://gmail.com', timeout=30, verify=True)
client.post('https://gmail.com', timeout=30, verify=False)
4 changes: 2 additions & 2 deletions tests/functional/test_functional.py
Original file line number Diff line number Diff line change
Expand Up @@ -373,8 +373,8 @@ def test_random_module(self):
def test_requests_ssl_verify_disabled(self):
"""Test for the `requests` library skipping verification."""
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 18},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 18},
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 24},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 6, "HIGH": 18},
}
self.check_example("requests-ssl-verify-disabled.py", expect)

Expand Down