Add new rule to check for context=None in smtp.starttls or SMTP_SSL

securesauce / precli

Precaution CLI - command line static application security testing tool

https://precli.readthedocs.io/

Other

22 stars 3 forks source link

Add new rule to check for context=None in smtp.starttls or SMTP_SSL #352

Closed ericwb closed 7 months ago

ericwb commented 7 months ago

If a context of unset or None is passed to SMTP_SSL, the implementation will default to creating an unverified context. This means the client connection will not properly verify the server its connecting to. The instance method of starttls is also vulnerable.

Closes: #342