From d8b2db696f51a42aa1e2a4224c649ebc1952b2e0 Mon Sep 17 00:00:00 2001
From: travisBREAKS <148665997+travisbreaks@users.noreply.github.com>
Date: Sun, 12 Apr 2026 01:14:12 -0500
Subject: [PATCH] fix(bench): remove global SSL verification bypass in
 convomem_bench (#176)

The module-level `ssl._create_default_https_context = ssl._create_unverified_context`
disables certificate verification for ALL urllib requests in the process,
not just the benchmark's HuggingFace downloads. This silently exposes
the benchmark runner to MITM attacks.

If a specific environment needs to skip verification (e.g. corporate proxy),
users can set `PYTHONHTTPSVERIFY=0` or pass a custom ssl context per-request
rather than globally patching the ssl module.

Co-authored-by: Tadao <tadao@travisfixes.com>
---
 benchmarks/convomem_bench.py | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/benchmarks/convomem_bench.py b/benchmarks/convomem_bench.py
index a955615..b4b2acf 100644
--- a/benchmarks/convomem_bench.py
+++ b/benchmarks/convomem_bench.py
@@ -25,7 +25,6 @@ import os
 import sys
 import json
 import shutil
-import ssl
 import tempfile
 import argparse
 import urllib.request
@@ -35,9 +34,6 @@ from datetime import datetime
 
 import chromadb
 
-# Bypass SSL for restricted environments
-ssl._create_default_https_context = ssl._create_unverified_context
-
 sys.path.insert(0, str(Path(__file__).parent.parent))
 
 HF_BASE = "https://huggingface.co/datasets/Salesforce/ConvoMem/resolve/main/core_benchmark/evidence_questions"