Audit required: Server certificate may not be verified PTC-W6001
Unverified server certificate. Set
verify=True to validate the certificate.33
34def fetch_version(request):
35 """Fetch verison of bgmi."""
36 version = requests.get(37 "https://pypi.python.org/pypi/bgmi/json", verify=False
38 ).json()["info"]["version"]
39 return versionUnverified server certificate. Consider using
ssl._create_default_https_context, which has certificate validation enabled by default105
106
107def tar_something():
108 context = ssl._create_stdlib_context()109 os.tempnam("dir1")
110 subprocess.Popen("/bin/chown *", shell=True)
111 o.system("/bin/tar xvzf *")
Description
It is recommended to validate server certificate during SSL/TLS sessions to protect it from man-in-the-middle attacks.
The certificate chain validation takes care of the following things:
- The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
- Each CA is allowed to issue certificates.
- Each certificate in the chain is not expired.
Not preferred:
import ssl
context = ssl.create_default_context()
ctx3.verify_mode = ssl.CERT_NONE # Setting this won't verify the certificate
Preferred:
import ssl
context = ssl.create_default_context()
ctx3.verify_mode = ssl.CERT_REQUIRED