Improper Certificate Validation Using aiohttp Module
PY501
improper_certificate_validation
CWE-295
⛔️ Error
🔒 Professional Plan
The aiohttp package includes a number of asynchronous methods for accessing
HTTP servers. The common parameter in these methods is ssl to denote
whether to verify the server's host certificate. If unset, the default value
is to verify certificates. However, by setting the value to False, the code is
subject to a number of security risks including:
- Man-in-the-middle attacks
- Session hijacking
- Data theft
Example
Error
import aiohttp
async with aiohttp.ClientSession() as session:
async with session.get('http://python.org', ssl=False) as response:
print(await response.text())
Remediation
fix
Setting the value of the ssl argument to None or removing the keyword argument accomplish the same effect of ensuring that certificates are verified.
import aiohttp
async with aiohttp.ClientSession() as session:
async with session.get('http://python.org', ssl=None) as response:
print(await response.text())
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY501) or
rule category name (improper_certificate_validation).
- Using rule ID
- Using category name
fix
import aiohttp
async with aiohttp.ClientSession() as session:
# suppress: PY501
async with session.get('http://python.org', ssl=False) as response:
print(await response.text())
fix
import aiohttp
async with aiohttp.ClientSession() as session:
# suppress: improper_certificate_validation
async with session.get('http://python.org', ssl=False) as response:
print(await response.text())