Skip to content

fix: enable TLS certificate verification across all scanners and crawler#1736

Open
namann5 wants to merge 2 commits into
utksh1:mainfrom
namann5:fix/tls-verification-disabled
Open

fix: enable TLS certificate verification across all scanners and crawler#1736
namann5 wants to merge 2 commits into
utksh1:mainfrom
namann5:fix/tls-verification-disabled

Conversation

@namann5

@namann5 namann5 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes critical security vulnerability where TLS certificate verification was globally disabled across the entire scanning pipeline.

Changes

  1. config.py: Added \�erify_ssl: bool = True\ to \Settings\ (configurable via \SECUSAN_VERIFY_SSL\ env var)
  2. crawler.py: Changed \�erify=False\ → \�erify=settings.verify_ssl\
  3. xss_validation_scanner.py: Changed \�erify=False\ → \�erify=settings.verify_ssl\
  4. api_scanner.py: Changed \�erify=False\ → \�erify=settings.verify_ssl\
  5. network_vulnerability_scanner.py: Changed \�erify=False\ → \�erify=settings.verify_ssl\

Impact

All outbound HTTPS connections now verify TLS certificates by default, preventing Man-in-the-Middle attacks against scanner operations. Operators can still disable verification for development via \SECUSCAN_VERIFY_SSL=false.

Verification

  • Ruff linting passes (
    uff check)
  • No merge conflicts with upstream/main

Closes #1735

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TLS-verification goal is important, but this PR needs cleanup before merge:\n\n1. Split out unrelated packaging/CI files from the TLS fix. The title says TLS verification, but the PR also changes dependency declarations and CI-related files.\n2. Add focused tests for the new verification setting / behavior so we know scanners and crawler keep working with verification enabled by default and configurable overrides.\n3. Keep the PR scoped to the actual TLS-certificate verification change only.\n\nOnce the scope is clean and there is direct regression coverage, this will be much easier to merge.

@utksh1 utksh1 added type:security Security work category bonus label area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests level:advanced 55 pts difficulty label for advanced contributor PRs type:bug Bug fix work category bonus label labels Jul 7, 2026
SECUSCAN-001 (Critical): TLS certificate verification was globally disabled
with verify=False in 4 locations (crawler, XSS scanner, API scanner, network
vulnerability scanner), leaving all outbound HTTPS connections vulnerable to
MITM attacks.

Added verify_ssl: bool = True to Settings (configurable via SECUSCAN_VERIFY_SSL
env var) and updated all httpx.AsyncClient calls to reference it.
@namann5 namann5 force-pushed the fix/tls-verification-disabled branch from 2dffe77 to b736888 Compare July 8, 2026 06:59
@namann5

namann5 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Scope cleaned — The branch fix/tls-verification-disabled now contains only the TLS-certificate verification change (1 commit, 5 files, +10/-4 lines). The unrelated commit (deps sync + CodeQL workflow) was already isolated on fix/missing-dependencies-and-codeql.
Changes retained (the actual TLS fix):

  • backend/secuscan/config.py — added verify_ssl: bool = True to Settings (configurable via SECUSCAN_VERIFY_SSL env var)
  • backend/secuscan/crawler.py — switched verify=False → verify=settings.verify_ssl
  • backend/secuscan/scanners/xss_validation_scanner.py — same
  • backend/secuscan/scanners/api_scanner.py — same
  • backend/secuscan/scanners/network_vulnerability_scanner.py — same
    Tests added (12 new tests total):
  1. testing/backend/unit/test_config_settings.py (3 tests):
  • test_verify_ssl_defaults_to_true — default is True
  • test_verify_ssl_can_be_disabled_via_constructor — verify_ssl=False accepted
  • test_verify_ssl_can_be_explicitly_enabled — verify_ssl=True accepted
  1. testing/backend/unit/test_tls_verification.py (9 tests):
  • 2 per scanner/crawler (verify default + verify=False override) for all 4 affected locations
  • 1 global assertion that settings.verify_ssl is True by default
  • Uses unittest.mock.patch to intercept httpx.AsyncClient construction and assert the verify parameter matches settings.verify_ssl, plus monkeypatch.setattr to test the verify_ssl=False override path
  • All 41 tests in both files pass

@utksh1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests level:advanced 55 pts difficulty label for advanced contributor PRs type:bug Bug fix work category bonus label type:security Security work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[SECURITY] TLS certificate verification globally disabled across all scanners and crawler (Critical)

2 participants