Improper Certificate Validation Using nntplib

PY024

improper_certificate_validation

CWE-295

⚠️ Warning

---

The Python class nntplib.NNTP_SSL by default creates an SSL context that does not verify the server's certificate if the context parameter is unset or has a value of None. This means that an attacker can easily impersonate a legitimate server and fool your application into connecting to it.

If you use nntplib.NNTP_SSL or starttls without a context set, you are opening your application up to a number of security risks, including:

• Man-in-the-middle attacks
• Session hijacking
• Data theft

Example

import nntplib


with nntplib.NNTP_SSL("news.gmane.io") as n:
    n.login("user", "password")
    n.group("gmane.comp.python.committers")

Remediation

Set the value of the context keyword argument to ssl.create_default_context() to ensure the connection is fully verified.

import nntplib
import ssl


with nntplib.NNTP_SSL(
    "news.gmane.io",
    context=ssl.create_default_context(),
) as n:
    n.login("user", "password")
    n.group("gmane.comp.python.committers")

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY024) or rule category name (improper_certificate_validation).

Using rule ID

fix

import nntplib


# suppress: PY024
with nntplib.NNTP_SSL("news.gmane.io") as n:
    n.login("user", "password")
    n.group("gmane.comp.python.committers")

Using category name

fix

import nntplib


# suppress: improper_certificate_validation
with nntplib.NNTP_SSL("news.gmane.io") as n:
    n.login("user", "password")
    n.group("gmane.comp.python.committers")

See also

info

• nntplib.NNTP_SSL — NNTP protocol client
• nntplib.NNTP.starttls — NNTP protocol client
• ssl — TLS_SSL wrapper for socket objects
• CWE-295: Improper Certificate Validation