pycharm-security: `verify=False` not found as a potential security problem (RQ101)

Hi @tonybaloney

just installed PyCharm Security 1.04 for IntelliJ IDEA Ultimate.

Following snippet does not show a warning

        try:
            response = requests.post(
                URL, auth=self.auth, headers=self.headers, json=ordered_data, verify=False, timeout=(3.05, 27)
            )
        except (ConnectionError, HTTPError, Timeout, TooManyRedirects, URLRequired) as exception:
            messages.append('There was an error connecting via DATEVconnect. Please contact a developer.')
            state = 'ERROR'
            LOG.exception(exception)

As I understand RQ101 should cover this.

As side notes:

  • bandit returns this
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
   Severity: High   Confidence: High
   Location: src/Products/Datev/DATEVconnect/client.py:106
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b501_request_with_no_cert_validation.html
  • your plugin works otherwise, as TMP100 is correctly raised for the following line
        zipname = mktemp('.zip')

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (16 by maintainers)

Most upvoted comments

that issue is fixed in 1.0.13. I also did a check for any other unsafe casts and that’s it https://github.com/tonybaloney/pycharm-security/releases/tag/1.0.13

+1
tonybaloney on Jan 20, 2020

I haven’t tested in IDEA yet. Let me do that

+1
tonybaloney on Jan 10, 2020
Read more comments on GitHub
← rum: defc error with shadow-cljs. Makes Rum unusable for me... :(
Pyjion: Pyjion 0.8.0 fails importing pickle with pyjion enabled →