Blacklist call of ssl._create_unverified_context

The ssl._create_unverified_context creates a context for use with such classes as HTTPSConnection which will do no certificate or hostname verification. This should be flagged. Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
2017-02-20 12:06:19 -08:00 · 2017-02-20 12:06:19 -08:00 · e40af23ff6
commit e40af23ff6
parent 085c789490
4 changed files with 39 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -173,6 +173,7 @@ Usage::
      B320  xml_bad_etree
      B321  ftplib
      B322  input
+      B323  unverified_context
      B401  import_telnetlib
      B402  import_ftplib
      B403  import_pickle
--- a/bandit/blacklists/calls.py
+++ b/bandit/blacklists/calls.py
@ -278,6 +278,20 @@ is safe in Python 3.
 | B322 | input               | - input                            | High      |
 +------+---------------------+------------------------------------+-----------+

+B323: unverified_context
+------------------------
+
+By default, Python will create a secure, verified ssl context for use in such
+classes as HTTPSConnection. However, it still allows using an insecure
+context via the _create_unverified_context that reverts to the previous
+behavior that does not validate certificates or perform hostname checks.
+
+------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Calls                             |  Severity |
+======+=====================+====================================+===========+
+| B322 | unverified_context  | - ssl._create_unverified_context   | Medium    |
+------+---------------------+------------------------------------+-----------+
+
 """

 from bandit.blacklists import utils
@ -509,4 +523,13 @@ def gen_blacklist():
        'HIGH'
        ))

+    sets.append(utils.build_conf_dict(
+        'unverified_context', 'B323', ['ssl._create_unverified_context'],
+        'By default, Python will create a secure, verified ssl context for '
+        'use in such classes as HTTPSConnection. However, it still allows '
+        'using an insecure context via the _create_unverified_context that '
+        'reverts to the previous behavior that does not validate certificates '
+        'or perform hostname checks.'
+        ))
+
    return {'Call': sets}
--- a/examples/unverified_context.py
+++ b/examples/unverified_context.py
@ -0,0 +1,7 @@
+import ssl
+
+# Correct
+context = ssl.create_default_context()
+
+# Incorrect: unverified context
+context = ssl._create_unverified_context()
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -689,3 +689,11 @@ class FunctionalTests(testtools.TestCase):
            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
        }
        self.check_example('input.py', expect)
+
+    def test_unverified_context(self):
+        '''Test for `ssl._create_unverified_context`.'''
+        expect = {
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
+        }
+        self.check_example('unverified_context.py', expect)