This linter searches for insecure keyword argument use in the urllib3
module.
Specifically, it looks for objects that may have HTTPS certification
verification disabled by setting "NONE"
, "CERT_NONE"
, CERT_NONE
, or
ssl.CERT_NONE
set for the cert_reqs
keyward argument. These values disable
verification and thus allow for insecure HTTPS connections.
import urllib3
import ssl
from ssl import CERT_NONE
urllib3.PoolManager(cert_reqs="CERT_NONE")
urllib3.ProxyManager(cert_reqs="CERT_NONE")
urllib3.HTTPSConnectionPool(cert_reqs="NONE")
urllib3.connection_from_url(cert_reqs=ssl.CERT_NONE)
urllib3.proxy_from_url(cert_reqs=CERT_NONE)
Simply not specifying cert_reqs
will default to secure behavior. Further,
setting ssl.CERT_REQUIRED
or its variants will ensure verification is
performed.
HTTPS certificate verification ensures your requests are communicating with whom they're supposed to be. Without this there could be an attacker impersonating the server you intend to be communicating with. To prevent this you must ensure certification verification is enabled.
- Code connecting to internal network services (although these should strive for full HTTPS as well)
- Code connecting to local development services or in test environments