verify=False not found as a potential security problem (RQ101)

[jugmac00]

Hi @tonybaloney

just installed PyCharm Security 1.04 for IntelliJ IDEA Ultimate.

Following snippet does not show a warning

        try:
            response = requests.post(
                URL, auth=self.auth, headers=self.headers, json=ordered_data, verify=False, timeout=(3.05, 27)
            )
        except (ConnectionError, HTTPError, Timeout, TooManyRedirects, URLRequired) as exception:
            messages.append('There was an error connecting via DATEVconnect. Please contact a developer.')
            state = 'ERROR'
            LOG.exception(exception)

As I understand RQ101 should cover this.

As side notes:

• bandit returns this

>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
   Severity: High   Confidence: High
   Location: src/Products/Datev/DATEVconnect/client.py:106
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b501_request_with_no_cert_validation.html

• your plugin works otherwise, as TMP100 is correctly raised for the following line

        zipname = mktemp('.zip')

[tonybaloney]

thanks for the report @jugmac00

[tonybaloney]

I can't reproduce this, if I paste the snippet into an existing file it raises a warning.

However, I have found another issue in the code that might cause it to fail.

Could you share the import statements? (I'm assuming you can't share the whole file?)

[jugmac00]

Thanks for getting back to me.

Here is the import section

# This Python file uses the following encoding: utf-8
""" DATEVconnect client """

import json
import logging
import os
import re
import requests

from collections import OrderedDict
from requests import ConnectionError, HTTPError, URLRequired, Timeout, TooManyRedirects
from six.moves.configparser import SafeConfigParser
from six.moves.urllib.parse import ParseResult
from six.moves.urllib.parse import urlparse
from six.moves.urllib.parse import urlunparse

If you need the complete file to reproduce the issue, I will go through it and share it with you later once I finished my other tasks.

P.S.: Even the standalone requests snippet does not trigger a warning for me, see attached screen - whereas the mktemp snippet does.

[jugmac00]

Just to be sure... the message from the warning about the mktemp usage is yours, not from some builtin IntelliJ mechanism?

[tonybaloney]

that's a builtin intellij mechanism. Doesn't look like the plugin is scanning the code at all

[tonybaloney]

I haven't tested in IDEA yet. Let me do that

[jugmac00]

Just noticed this crash report in the lower right corner of IntelliJ / client.py is the module I tried to check this morning.

In file: file:///home/jugmac00/Projects/bliss_deployment/work/source/bliss.git/src/Products/Datev/DATEVconnect/client.py

java.lang.ClassCastException: class com.jetbrains.python.psi.impl.PyReferenceExpressionImpl cannot be cast to class com.jetbrains.python.psi.PyBoolLiteralExpression (com.jetbrains.python.psi.impl.PyReferenceExpressionImpl and com.jetbrains.python.psi.PyBoolLiteralExpression are in unnamed module of loader com.intellij.ide.plugins.cl.PluginClassLoader @2cb053d3)
	at security.validators.RequestsNoVerifyValidator.visitPyCallExpression(RequestsNoVerifyValidator.kt:16)
	at com.jetbrains.python.psi.impl.PyCallExpressionImpl.acceptPyVisitor(PyCallExpressionImpl.java:28)
	at com.jetbrains.python.psi.impl.PyBaseElementImpl.accept(PyBaseElementImpl.java:72)
	at com.jetbrains.python.validation.PyAnnotator.annotateElement(PyAnnotator.java:46)
	at com.jetbrains.python.validation.PyAnnotatingVisitor.runAnnotators(PyAnnotatingVisitor.java:65)
	at com.jetbrains.python.validation.PyCompositeAnnotator.annotate(PyCompositeAnnotator.java:18)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.runAnnotators(DefaultHighlightVisitor.java:126)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.visit(DefaultHighlightVisitor.java:108)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.runVisitors(GeneralHighlightingPass.java:351)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.lambda$collectHighlights$5(GeneralHighlightingPass.java:285)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.analyzeByVisitors(GeneralHighlightingPass.java:311)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.lambda$analyzeByVisitors$6(GeneralHighlightingPass.java:314)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.analyze(DefaultHighlightVisitor.java:93)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.analyzeByVisitors(GeneralHighlightingPass.java:314)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.collectHighlights(GeneralHighlightingPass.java:282)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.collectInformationWithProgress(GeneralHighlightingPass.java:227)
	at com.intellij.codeInsight.daemon.impl.ProgressableTextEditorHighlightingPass.doCollectInformation(ProgressableTextEditorHighlightingPass.java:84)
	at com.intellij.codeHighlighting.TextEditorHighlightingPass.collectInformation(TextEditorHighlightingPass.java:55)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$null$1(PassExecutorService.java:429)
	at com.intellij.openapi.application.impl.ApplicationImpl.tryRunReadAction(ApplicationImpl.java:997)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$doRun$2(PassExecutorService.java:422)
	at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:585)
	at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:531)
	at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:59)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.doRun(PassExecutorService.java:421)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$run$0(PassExecutorService.java:397)
	at com.intellij.openapi.application.impl.ReadMostlyRWLock.executeByImpatientReader(ReadMostlyRWLock.java:167)
	at com.intellij.openapi.application.impl.ApplicationImpl.executeByImpatientReader(ApplicationImpl.java:157)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.run(PassExecutorService.java:395)
	at com.intellij.concurrency.JobLauncherImpl$VoidForkJoinTask$1.exec(JobLauncherImpl.java:161)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:177)

[jugmac00]

[tonybaloney]

Published a new version 1.0.6 which should fix that particular crash.

[jugmac00]

I get this error with 1.06

In file: file:///home/jugmac00/Projects/bliss_deployment/work/source/bliss.git/src/Products/Datev/DATEVconnect/client.py

java.lang.ClassCastException: class com.jetbrains.python.psi.impl.PyReferenceExpressionImpl cannot be cast to class com.jetbrains.python.psi.PyBoolLiteralExpression (com.jetbrains.python.psi.impl.PyReferenceExpressionImpl and com.jetbrains.python.psi.PyBoolLiteralExpression are in unnamed module of loader com.intellij.ide.plugins.cl.PluginClassLoader @4c367c8a)
	at security.validators.RequestsNoVerifyValidator.visitPyCallExpression(RequestsNoVerifyValidator.kt:17)
	at com.jetbrains.python.psi.impl.PyCallExpressionImpl.acceptPyVisitor(PyCallExpressionImpl.java:28)
	at com.jetbrains.python.psi.impl.PyBaseElementImpl.accept(PyBaseElementImpl.java:72)
	at com.jetbrains.python.validation.PyAnnotator.annotateElement(PyAnnotator.java:46)
	at com.jetbrains.python.validation.PyAnnotatingVisitor.runAnnotators(PyAnnotatingVisitor.java:65)
	at com.jetbrains.python.validation.PyCompositeAnnotator.annotate(PyCompositeAnnotator.java:18)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.runAnnotators(DefaultHighlightVisitor.java:126)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.visit(DefaultHighlightVisitor.java:108)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.runVisitors(GeneralHighlightingPass.java:351)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.lambda$collectHighlights$5(GeneralHighlightingPass.java:285)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.analyzeByVisitors(GeneralHighlightingPass.java:311)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.lambda$analyzeByVisitors$6(GeneralHighlightingPass.java:314)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.analyze(DefaultHighlightVisitor.java:93)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.analyzeByVisitors(GeneralHighlightingPass.java:314)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.collectHighlights(GeneralHighlightingPass.java:282)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.collectInformationWithProgress(GeneralHighlightingPass.java:227)
	at com.intellij.codeInsight.daemon.impl.ProgressableTextEditorHighlightingPass.doCollectInformation(ProgressableTextEditorHighlightingPass.java:84)
	at com.intellij.codeHighlighting.TextEditorHighlightingPass.collectInformation(TextEditorHighlightingPass.java:55)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$null$1(PassExecutorService.java:429)
	at com.intellij.openapi.application.impl.ApplicationImpl.tryRunReadAction(ApplicationImpl.java:997)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$doRun$2(PassExecutorService.java:422)
	at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:585)
	at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:531)
	at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:59)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.doRun(PassExecutorService.java:421)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$run$0(PassExecutorService.java:397)
	at com.intellij.openapi.application.impl.ReadMostlyRWLock.executeByImpatientReader(ReadMostlyRWLock.java:167)
	at com.intellij.openapi.application.impl.ApplicationImpl.executeByImpatientReader(ApplicationImpl.java:157)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.run(PassExecutorService.java:395)
	at com.intellij.concurrency.JobLauncherImpl$VoidForkJoinTask$1.exec(JobLauncherImpl.java:161)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:177)

[tonybaloney]

Annoyingly, I can't reproduce that issue.

[tonybaloney]

@jugmac00 try the latest version, these issues should all be fixed. Also, if it can't enable the detection because of a configuration issue it'll now give you a warning

[jugmac00]

Hi @tonybaloney

I still get errors on 1.0.12 - is there anything I could do to help you tracking down the problem(s)? Except learning Kotlin :-) Which is on my list, but currently I learn golang :-)

In file: file:///home/jugmac00/Projects/bliss_deployment/work/source/bliss.git/src/Products/containers/BlissListProviders.py

java.lang.ClassCastException: class com.jetbrains.python.psi.impl.PyCallExpressionImpl cannot be cast to class com.jetbrains.python.psi.PyReferenceExpression (com.jetbrains.python.psi.impl.PyCallExpressionImpl and com.jetbrains.python.psi.PyReferenceExpression are in unnamed module of loader com.intellij.ide.plugins.cl.PluginClassLoader @252a26dd)
	at security.helpers.QualifiedNames.getQualifiedName(QualifiedNames.kt:14)
	at security.validators.SubprocessShellModeValidator.visitPyCallExpression(SubprocessShellModeValidator.kt:14)
	at com.jetbrains.python.psi.impl.PyCallExpressionImpl.acceptPyVisitor(PyCallExpressionImpl.java:28)
	at com.jetbrains.python.psi.impl.PyBaseElementImpl.accept(PyBaseElementImpl.java:72)
	at com.jetbrains.python.validation.PyAnnotator.annotateElement(PyAnnotator.java:46)
	at com.jetbrains.python.validation.PyAnnotatingVisitor.runAnnotators(PyAnnotatingVisitor.java:65)
	at com.jetbrains.python.validation.PyCompositeAnnotator.annotate(PyCompositeAnnotator.java:18)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.runAnnotators(DefaultHighlightVisitor.java:126)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.visit(DefaultHighlightVisitor.java:108)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.runVisitors(GeneralHighlightingPass.java:351)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.lambda$collectHighlights$5(GeneralHighlightingPass.java:291)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.analyzeByVisitors(GeneralHighlightingPass.java:311)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.lambda$analyzeByVisitors$6(GeneralHighlightingPass.java:314)
	at com.intellij.codeInsight.daemon.impl.DefaultHighlightVisitor.analyze(DefaultHighlightVisitor.java:93)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.analyzeByVisitors(GeneralHighlightingPass.java:314)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.collectHighlights(GeneralHighlightingPass.java:282)
	at com.intellij.codeInsight.daemon.impl.GeneralHighlightingPass.collectInformationWithProgress(GeneralHighlightingPass.java:227)
	at com.intellij.codeInsight.daemon.impl.ProgressableTextEditorHighlightingPass.doCollectInformation(ProgressableTextEditorHighlightingPass.java:84)
	at com.intellij.codeHighlighting.TextEditorHighlightingPass.collectInformation(TextEditorHighlightingPass.java:55)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$null$1(PassExecutorService.java:429)
	at com.intellij.openapi.application.impl.ApplicationImpl.tryRunReadAction(ApplicationImpl.java:997)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$doRun$2(PassExecutorService.java:422)
	at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:585)
	at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:531)
	at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:59)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.doRun(PassExecutorService.java:421)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.lambda$run$0(PassExecutorService.java:397)
	at com.intellij.openapi.application.impl.ReadMostlyRWLock.executeByImpatientReader(ReadMostlyRWLock.java:167)
	at com.intellij.openapi.application.impl.ApplicationImpl.executeByImpatientReader(ApplicationImpl.java:157)
	at com.intellij.codeInsight.daemon.impl.PassExecutorService$ScheduledPass.run(PassExecutorService.java:395)
	at com.intellij.concurrency.JobLauncherImpl$VoidForkJoinTask$1.exec(JobLauncherImpl.java:161)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:177)

[tonybaloney]

Haha, I came across that issue trying to break it at the weekend.

I'm guessing that BlissListProviders.py uses function references, or has something like x()() in it?

There's a fix for that in another branch, I'll patch it into master.

It'll only impact that particular module AFAIK, the other functionality should work

[tonybaloney]

that issue is fixed in 1.0.13. I also did a check for any other unsafe casts and that's it https://github.com/tonybaloney/pycharm-security/releases/tag/1.0.13

[jugmac00]

Works like a (py)charm!