Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of ssl._create_unverified_context #552

Open
ahoang-splunk opened this issue Nov 15, 2023 · 1 comment
Open

Use of ssl._create_unverified_context #552

ahoang-splunk opened this issue Nov 15, 2023 · 1 comment

Comments

@ahoang-splunk
Copy link

Describe the bug
A clear and concise description of what the bug is.
I am using the latest SDK in the Mothership app (available on Splunkbase). I received an error when running a SAST scan flagging the use of ssl._create_unverified_context in splunklib/binding.py on line 1447. The scan gave this error and feedback: "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use ssl.create_default_context() instead." Is this a valid security concern and if so, can the team implement the fix suggested in the comment above?

To Reproduce
Steps to reproduce the behavior:

  1. Download latest version of SDK
  2. Run SAST scan
  3. See results on semgrep.dev

Logs or Screenshots
If applicable, add logs or screenshots to help explain your problem.
Screenshot 2023-11-15 at 11 37 53 AM
Screenshot 2023-11-15 at 11 38 37 AM

Splunk (please complete the following information):

  • Version: 9.1.0.2
  • OS: Ubuntu
  • Deployment: Single instance

SDK (please complete the following information):

  • Version: 1.7.4
  • Language Runtime Version: Python3
  • OS: Ubuntu
@akaila-splunk
Copy link
Contributor

Hi @ahoang-splunk ,
We replaced the ssl._create_unverified_context() using ssl.create_default_context() as suggested in the security warning along with some other parameters needed to connect successfully with the Splunk server when SSL verification is not enabled. These changes did not raise any warning when we ran the security scan locally.
To ensure that it resolves the security warning, we request you to execute the security scan on your end using the modified code listed below and let us know if it still raises the security warning.

old code (splunklib/bindings.py):

            if not verify:
                kwargs['context'] = ssl._create_unverified_context()
            elif context:
                # verify is True in elif branch and context is not None
                kwargs['context'] = context

new code:

            if not verify:
                ssl_ctx = ssl.create_default_context()
                ssl_ctx.check_hostname = False
                ssl_ctx.verify_mode = ssl.CERT_NONE
                kwargs['context'] = ssl_ctx
            elif context:
                # verify is True in elif branch and context is not None
                kwargs['context'] = context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akaila-splunk @ahoang-splunk