New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] unsafeSecure() should not be used in samples #617

Open

JLLeitschuh opened this issue Jul 2, 2019 · 1 comment

JLLeitschuh commented Jul 2, 2019 •

edited

Loading

Insecure example code leads to insecure production code

By offering "working" code that is insecure by default, you are inherently suggesting that users use insecure coding practices by default.

For example, the samples recommend the use of unsafeSecure().

This is itself a security risk to the users of a library.

The text was updated successfully, but these errors were encountered:

Author

JLLeitschuh commented Jul 3, 2019

I 100% recommend adding a method like the following as simpleSecure(). (Mine is written in Kotlin, obvious this would be translated to Java)

private fun defaultSSLEngineForClient(): Func1<ByteBufAllocator, SSLEngine> {
    val clientProvider = SslContext.defaultClientProvider()
    val context = SslContextBuilder.forClient().sslProvider(clientProvider).build()

    return Func1 { buff -> context.newEngine(buff) }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment