should not bypass certificate verification

Metadata

ID: python-security/ssl-unverified-context

Language: Python

Severity: Notice

Category: Security

CWE: 295

Description

The call to _create_unverified_context from the ssl module bypass certificates verification. It should not be used and instead, certificates must be verified.

Non-Compliant Code Examples

import xmlrpclib
import ssl

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True, 
                             context=ssl._create_unverified_context()) 
test.list_satellites()

Compliant Code Examples

import xmlrpclib
import ssl

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True)
test.list_satellites()

import xmlrpclib

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True, 
                             context=ssl._create_unverified_context())
test.list_satellites()
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: may/unit-testing