Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reenble tls warnings #95

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

reenble tls warnings #95

wants to merge 1 commit into from

Conversation

jchorl
Copy link

@jchorl jchorl commented Dec 15, 2024

I came across this line disabling TLS warnings.

From the urllib3 docs:

Making unverified HTTPS requests is strongly discouraged, however, if you understand the risks and wish to disable these warnings, you can use disable_warnings()

I blamed the code to 4 years ago, and I couldn't find why this is done: 3097081#diff-0f277423077241e22dbb7aee66e238d101053c903d7c388d0252a11ce1fcdaaeR8

This feels supremely dangerous to put in a public library. Furthermore, I think it can be disabled by setting an env var if someone really needs this functionality: https://stackoverflow.com/a/28002687

Forgive me if I misunderstand the implications of this line of code.

Thanks!

@jchorl
Copy link
Author

jchorl commented Dec 15, 2024

my editor also removed some unnecessary whitespace

@kbessonov1984
Copy link
Collaborator

kbessonov1984 commented Jan 23, 2025
edited
Loading

The reason we disabled the HTTPS certificate verification in requests.get() function at

ecoli_serotyping/ectyper/speciesIdentification.py

Line 64 in 6069135

response = requests.get(url,timeout=10, verify=False)
) because some users in our tests were not be able to download the SpeciesID database and install necessary TLS certificates running inside a docker container. Since we are downloading from a Zenodo which is a reputable repository and url links are "permanent" plus the typing tool is for research and public health purposes I do not see this as a major concern. In addition one can manually download the database and initialize it by running mash info on the sketch or download it from a Singularity/Docker container available at https://quay.io/repository/biocontainers/ectyper

@jchorl
Copy link
Author

jchorl commented Jan 23, 2025

I actually looked further into this, and found that this code is just disabling a warning for when TLS validation fails. It doesn't disable TLS validation.

However, this code does seem to disable TLS validation:

ecoli_serotyping/ectyper/speciesIdentification.py

Line 64 in 6069135

response = requests.get(url,timeout=10, verify=False)

Do I understand this correctly?

Since we are downloading from Zenodo which is a reputable repository and url links are "permanent" plus the typing tool is for research and public health purposes I do not see this as a major concern.

But how can you know that you're downloading from Zenodo if tls is disabled? The user's network could MITM the request, spy on it, serve malicious payloads, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jchorl @kbessonov1984