fix(integrations): Enforce SSL certificate verification in email integration

[zeropath-ai]

Summary

• The Vulnerability Description: Unverified SSL context detected, which permits insecure connections without verifying SSL certificates. This can expose communication to potential man-in-the-middle attacks.
• This Fix: Replace the use of ssl._create_unverified_context() with ssl.create_default_context() to ensure proper SSL certificate verification during connections.
• The Cause of the Issue: The application configuration allowed ignoring SSL certificate errors, leading to the usage of an unverified SSL context.
• The Patch Implementation: Modified the conditional checks to use ssl.create_default_context() instead of ssl._create_unverified_context() when SSL certificate errors are not to be ignored. This change is implemented for both SSL and STARTTLS contexts in the email provider class.

Vulnerability Details

• Vulnerability Class: Insecure Configuration
• Severity: 6.5
• Affected File: tracecat/actions/core/email.py
• Vulnerable Lines: 120-120

Code Snippets

diff --git a/tracecat/actions/core/email.py b/tracecat/actions/core/email.py
index a2c5f39..4ba6620 100644
--- a/tracecat/actions/core/email.py
+++ b/tracecat/actions/core/email.py
@@ -116,8 +116,8 @@ class SmtpMailProvider(AsyncMailProvider):
         try:
             if SMTP_SSL_ENABLED:
                 context = None
-                if SMTP_IGNORE_CERT_ERRORS:
-                    context = ssl._create_unverified_context()
+                if not SMTP_IGNORE_CERT_ERRORS:
+                    context = ssl.create_default_context()
                 server = smtplib.SMTP_SSL(SMTP_HOST, SMTP_PORT, context=context)
             else:
                 server = smtplib.SMTP(SMTP_HOST, SMTP_PORT)
@@ -126,8 +126,8 @@ class SmtpMailProvider(AsyncMailProvider):
 
             if SMTP_STARTTLS_ENABLED:
                 context = None
-                if SMTP_IGNORE_CERT_ERRORS:
-                    context = ssl._create_unverified_context()
+                if not SMTP_IGNORE_CERT_ERRORS:
+                    context = ssl.create_default_context()
                 server.starttls(context=context)
 
             if SMTP_AUTH_ENABLED:

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the ZeroPath bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai!

To request modifications, please post a comment beginning with @zeropath-ai and specify the changes required.

@zeropath-ai will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout ZeroPath created branch:
git checkout zeropath_fix_insecure_configuration_1724778566444967

# if vscode is installed run (or use your favorite editor / IDE):
code tracecat/actions/core/email.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zeropath_fix_insecure_configuration_1724778566444967