RxNetty icon indicating copy to clipboard operation
RxNetty copied to clipboard

Published 20 hours ago verified publisher icon ReactiveX

[SECURITY] unsafeSecure() should not be used in samples

Open JLLeitschuh opened this issue 6 years ago • 1 comments

Insecure example code leads to insecure production code

By offering "working" code that is insecure by default, you are inherently suggesting that users use insecure coding practices by default.

For example, the samples recommend the use of unsafeSecure().

This is itself a security risk to the users of a library.

JLLeitschuh avatar Jul 02 '19 20:07 JLLeitschuh

I 100% recommend adding a method like the following as simpleSecure(). (Mine is written in Kotlin, obvious this would be translated to Java)

private fun defaultSSLEngineForClient(): Func1<ByteBufAllocator, SSLEngine> {
    val clientProvider = SslContext.defaultClientProvider()
    val context = SslContextBuilder.forClient().sslProvider(clientProvider).build()

    return Func1 { buff -> context.newEngine(buff) }
}

JLLeitschuh avatar Jul 03 '19 14:07 JLLeitschuh