No check of host certificate
cym13 opened this issue · 2 comments
cym13 commented
All calls with request.get have disabled certificate verification. This puts the user in danger of a man in the middle.
While the information in those pages isn't private this opens the door to modification of the results. Those results are then printed on screen.
One possible attack scenario is to inject terminal control characters. Some terminal emulators allow things like writing a log to a file through control characters. This could therefore lead to remote code execution.
I see no good reason to disable those security features and recommend turning them on.
gautamkrishnar commented
Thanks... 👍 Yes SSL must be enabled...
gautamkrishnar commented
Instructions to fix the issue
- Comment in this issue if you are interested 👍
- Find all lines containing:
requests.get(soqurl + query, verify=False)
- Change it to:
requests.get(soqurl + query)
- Submit a new Pull request ⭐️