search

sodadata / soda-sql

Soda SQL and Soda Spark have been deprecated and replaced by Soda Core. docs.soda.io/soda-core/overview.html
https://docs.soda.io/
Apache License 2.0
59 stars 16 forks source link

Potentially insecure network communication [LOW] #185

Closed jmarien closed 2 years ago

jmarien commented 2 years ago

In soda_server_client/soda_server_client.py line 30 the code allows to specify an arbitrary network protocol, including non-encrypted protocols (such as plain HTTP).

The risk is that a misconfiguration could have the application connect via plain HTTP to a server that also allows plain HTTP rather than require the more secure HTTP over TLS. As a result, the confidentiality of the communication can be breached, including user credentials that are used to authenticate against the server.

The safest solution is to use hardcoded TLS protocol.

jmarien commented 2 years ago

This is solved server-side on cloud.soda.io where TLS is enforced.