Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0' #21900

Merged
merged 1 commit into from
Jul 23, 2018
Merged

tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0' #21900

merged 1 commit into from
Jul 23, 2018

Conversation

cjihrig
Copy link
Contributor

@cjihrig cjihrig commented Jul 20, 2018

Warn on the first request that sets the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

Refs: #21774

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

@cjihrig build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/320/pipeline

mscdex
mscdex reviewed Jul 20, 2018
View reviewed changes
lib/_tls_wrap.js Outdated
// Arguments: [port,] [host,] [options,] [cb]
exports.connect = function connect(...args) {
args = normalizeConnectArgs(args);
var options = args[0];
var cb = args[1];
const allowUnauthorized = '0' === process.env.NODE_TLS_REJECT_UNAUTHORIZED;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reverse this equality check?: process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0'

ChALkeR
ChALkeR reviewed Jul 20, 2018
View reviewed changes
lib/_tls_wrap.js Outdated
warnOnAllowUnauthorized = false;
process.emitWarning('Setting the NODE_TLS_REJECT_UNAUTHORIZED ' +
'environment variable to \'0\' is considered ' +
'insecure.');
Copy link
Member

@ChALkeR ChALkeR Jul 20, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

«is considered insecure» is too broad, imo.

Perhaps something among the lines «makes tls connections and https requests insecure»?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly even add "by disabling certificate verification" or so, because my experience is that people using this option almost never actually know what it does... and have just enabled it because a code example suggested it / a StackOverflow answer told them to / their boss told them to / etc.

Copy link
Member

@ChALkeR ChALkeR Jul 20, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, makes tls connections and https requests insecure by disabling certificate verification looks much better to me :-).

@cjihrig
tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0'
3095eec 
Warn on the first request that sets the
NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

PR-URL: nodejs#21900
Refs: nodejs#21774
Reviewed-By: James M Snell <jasnell@gmail.com>
@cjihrig
Copy link
Contributor Author

cjihrig commented Jul 23, 2018

Green CI: https://ci.nodejs.org/job/node-test-pull-request/15973/

@cjihrig cjihrig merged commit 3095eec into nodejs:master Jul 23, 2018
@cjihrig cjihrig deleted the warn branch July 23, 2018 01:53
ChALkeR
ChALkeR reviewed Jul 23, 2018
View reviewed changes
Copy link
Member

@ChALkeR ChALkeR left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Belated LGTM, the comments were addressed.

This was referenced Jul 23, 2018
Closed
Closed
@targos
Copy link
Member

targos commented Jul 24, 2018

This has no label. Should it be semver-minor? Or at least a notable-change?

@targos
Copy link
Member

targos commented Jul 26, 2018

^ @cjihrig @ChALkeR
I ask for the changelog.

@mscdex mscdex added the tls Issues and PRs related to the tls subsystem. label Jul 26, 2018
@mscdex
Copy link
Contributor

mscdex commented Jul 26, 2018

Yeah, this should have been semver-major I believe.

@cjihrig
Copy link
Contributor Author

cjihrig commented Jul 26, 2018

Yeah, as a new warning, I think semver-major might be appropriate.

@targos targos added the semver-major PRs that contain breaking changes and should be released in the next major version. label Jul 26, 2018
@targos
Copy link
Member

targos commented Jul 26, 2018

OK I added the label

@ChALkeR
Copy link
Member

ChALkeR commented Jul 26, 2018

@mscdex @targos I am fine with either semver-major or semver-minor/notable-change.

@ChALkeR ChALkeR added the security Issues and PRs related to security. label Jul 31, 2018
@brunodmartins brunodmartins mentioned this pull request Mar 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joepie91 joepie91 joepie91 left review comments

@ChALkeR ChALkeR ChALkeR left review comments

@mscdex mscdex mscdex left review comments

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
security Issues and PRs related to security. semver-major PRs that contain breaking changes and should be released in the next major version. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@cjihrig @nodejs-github-bot @targos @mscdex @ChALkeR @jasnell @joepie91