sdk/python/Cryptography/PySsl
Cryptography

PySsl

The ssl module for TLS / SSL. SSLContext with verify_mode=CERT_NONE disables certificate validation (MITM risk). _create_unverified_context() is an explicit bypass — finding for any production code. Use create_default_context() for sane defaults.

2 sinks1 sanitizer
Taint flow0 sources 1 sanitizer → 2 sinks
Sanitizers — blocks taint
.create_default_context()
Sinks — dangerous call
._create_unverified_context()
.wrap_socket()

Sinks

._create_unverified_context()Sink
#
Signature
ssl._create_unverified_context() -> SSLContext

Returns a context that skips verification. Always a finding in production code.

.wrap_socket()Sink
#
Signature
ssl.wrap_socket(sock, ssl_version=..., cert_reqs=CERT_NONE, ...) -> SSLSocket

Legacy socket wrapping. Finding when cert_reqs=CERT_NONE.

Sanitizers

.create_default_context()Sanitizer
#
Signature
ssl.create_default_context(purpose=Purpose.SERVER_AUTH, ...) -> SSLContext

Creates a context with safe defaults (verify, hostname check). Sanitizer.

tracks:return

Other Methods

.SSLContext()Neutral
#
Signature
ssl.SSLContext(protocol=PROTOCOL_TLS) -> SSLContext

TLS context. Finding when .check_hostname is False or .verify_mode is CERT_NONE.

Fully-Qualified Names

FQNField
sslfqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PySsl
Next →PyTgcrypto