From bf426a8cd7a790928bfd9f1a8fe0d6cae5e0ab33 Mon Sep 17 00:00:00 2001
From: clavedeluna <danalitovsky+git@gmail.com>
Date: Tue, 6 Feb 2024 14:58:14 -0300
Subject: [PATCH] update requests-verify docs to document for httpx

---
 .../docs/pixee_python_requests-verify.md             | 12 ++++++++++--
 src/core_codemods/requests_verify.py                 |  3 ++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/core_codemods/docs/pixee_python_requests-verify.md b/src/core_codemods/docs/pixee_python_requests-verify.md
index 36837b59..3b44c7f0 100644
--- a/src/core_codemods/docs/pixee_python_requests-verify.md
+++ b/src/core_codemods/docs/pixee_python_requests-verify.md
@@ -1,8 +1,10 @@
-This codemod checks that calls to the `requests` module API use `verify=True` or a path to a CA bundle to ensure TLS certificate validation.
+This codemod checks that calls to the `requests` module API or the `httpx` library use `verify=True` or a path to a CA bundle to ensure TLS certificate validation.
 
 The [requests documentation](https://requests.readthedocs.io/en/latest/api/) warns that the `verify` flag
 > When set to False, requests will accept any TLS certificate presented by the server, and will ignore hostname mismatches and/or expired certificates, which will make your application vulnerable to man-in-the-middle (MitM) attacks. Setting verify to False may be useful during local development or testing.
 
+Similarly, setting `verify=False` when using the `httpx` library to make requests disables certificate verification.
+
 The changes from this codemod look like this:
 
 
@@ -11,6 +13,12 @@ The changes from this codemod look like this:
   
 - requests.get("www.google.com", ...,verify=False)
 + requests.get("www.google.com", ...,verify=True)
+...
+import httpx
+  
+- httpx.get("www.google.com", ...,verify=False)
++ httpx.get("www.google.com", ...,verify=True)
+
 ```
 
-This codemod also checks other methods in the `requests` module that accept a `verify` flag (e.g. `requests.post`, etc.)
+This codemod also checks other methods in the `requests` module and `httpx` library that accept a `verify` flag (e.g. `requests.post`, `httpx.AsyncClient`, etc.)
diff --git a/src/core_codemods/requests_verify.py b/src/core_codemods/requests_verify.py
index 004748b5..bbd7ac24 100644
--- a/src/core_codemods/requests_verify.py
+++ b/src/core_codemods/requests_verify.py
@@ -14,13 +14,14 @@ class RequestsVerify(SimpleCodemod):
         review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
         references=[
             Reference(url="https://requests.readthedocs.io/en/latest/api/"),
+            Reference(url="https://www.python-httpx.org/"),
             Reference(
                 url="https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack"
             ),
         ],
     )
     change_description = (
-        "Makes any calls to requests.{func} with `verify=False` to `verify=True`."
+        "Ensures requests using the `requests` or `httpx` library use `verify=True`."
     )
     detector_pattern = """
             rules: