-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Set rejectUnauthorized to true by default #3149
Conversation
This would resolve #3067 |
Thanks! I've added the |
Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default. Add configuration flag to override this to false if necessary. extract rejectUnauthorized download option to its own file. Add doc option to README.md.
76de3fb
to
82e2762
Compare
Added other options for changing the configuration setting and updated README. Have removed WIP tag from PR. A couple of build steps failed but I couldn't see why - is that expected @xzyfer ? |
Yes some of the Alpine build jobs fail. It's expected. |
@xzyfer - any update on when this will be merged? |
Hi @xzyfer - just wondering when I can expect this to be released? |
@xzyfer |
We put this into in v7 because it was technically a breaking change. |
@xzyfer what part of it is breaking? I see the addition of a flag, but no change in the existing flags |
IIRC in order to address the security concern the default value for the
flag was reversed.
…On Fri, 25 Feb 2022, 2:40 pm J Garcia, ***@***.***> wrote:
@xzyfer <https://github.com/xzyfer> what part of it is breaking? I see
the addition of a flag, but no change in the existing flags
—
Reply to this email directly, view it on GitHub
<#3149 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAENSWD3IBZLJX4HGZE65MTU4322BANCNFSM5APMRSGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
feels like a minor change to me, it doesn't break functionality right? None of the current binaries should be requiring that flag |
@xzyfer Would appreciate a deeper look at the feasability of a minor update, I'm definitely not the only one that can't upgrade to 7 easily, and I'll probably ignore this update or patch it manually until I can do a broader tooling upgrade |
patch file: diff --git a/node_modules/node-sass/scripts/util/downloadoptions.js b/node_modules/node-sass/scripts/util/downloadoptions.js
index 2352971..e9056b1 100644
--- a/node_modules/node-sass/scripts/util/downloadoptions.js
+++ b/node_modules/node-sass/scripts/util/downloadoptions.js
@@ -1,5 +1,6 @@
var proxy = require('./proxy'),
- userAgent = require('./useragent');
+ userAgent = require('./useragent'),
+ rejectUnauthorized = require('./rejectUnauthorized');
/**
* The options passed to request when downloading the bibary
@@ -14,7 +15,7 @@ var proxy = require('./proxy'),
*/
module.exports = function() {
var options = {
- rejectUnauthorized: false,
+ rejectUnauthorized: rejectUnauthorized(),
timeout: 60000,
headers: {
'User-Agent': userAgent(),
diff --git a/node_modules/node-sass/scripts/util/rejectUnauthorized.js b/node_modules/node-sass/scripts/util/rejectUnauthorized.js
new file mode 100644
index 0000000..a1c8010
--- /dev/null
+++ b/node_modules/node-sass/scripts/util/rejectUnauthorized.js
@@ -0,0 +1,46 @@
+var pkg = require('../../package.json');
+
+/**
+ * Get the value of a CLI argument
+ *
+ * @param {String} name
+ * @param {Array} args
+ * @api private
+ */
+ function getArgument(name, args) {
+ var flags = args || process.argv.slice(2),
+ index = flags.lastIndexOf(name);
+
+ if (index === -1 || index + 1 >= flags.length) {
+ return null;
+ }
+
+ return flags[index + 1];
+}
+
+/**
+ * Get the value of reject-unauthorized
+ * If environment variable SASS_REJECT_UNAUTHORIZED is non-zero,
+ * .npmrc variable sass_reject_unauthorized or
+ * process argument --sass-reject_unauthorized is provided,
+ * set rejectUnauthorized to true
+ * Else set to false by default
+ *
+ * @return {Boolean} The value of rejectUnauthorized
+ * @api private
+ */
+module.exports = function() {
+ var rejectUnauthorized = false;
+
+ if (getArgument('--sass-reject-unauthorized')) {
+ rejectUnauthorized = getArgument('--sass-reject-unauthorized');
+ } else if (process.env.SASS_REJECT_UNAUTHORIZED !== '0') {
+ rejectUnauthorized = true;
+ } else if (process.env.npm_config_sass_reject_unauthorized) {
+ rejectUnauthorized = process.env.npm_config_sass_reject_unauthorized;
+ } else if (pkg.nodeSassConfig && pkg.nodeSassConfig.rejectUnauthorized) {
+ rejectUnauthorized = pkg.nodeSassConfig.rejectUnauthorized;
+ }
+
+ return rejectUnauthorized;
+};
diff --git a/node_modules/node-sass/test/downloadoptions.js b/node_modules/node-sass/test/downloadoptions.js
index de89638..a6e2d9b 100644
--- a/node_modules/node-sass/test/downloadoptions.js
+++ b/node_modules/node-sass/test/downloadoptions.js
@@ -8,7 +8,7 @@ describe('util', function() {
describe('without a proxy', function() {
it('should look as we expect', function() {
var expected = {
- rejectUnauthorized: false,
+ rejectUnauthorized: true,
timeout: 60000,
headers: {
'User-Agent': ua(),
@@ -33,7 +33,7 @@ describe('util', function() {
it('should look as we expect', function() {
var expected = {
- rejectUnauthorized: false,
+ rejectUnauthorized: true,
proxy: proxy,
timeout: 60000,
headers: {
@@ -57,6 +57,25 @@ describe('util', function() {
delete process.env.HTTP_PROXY;
});
+ it('should look as we expect', function() {
+ var expected = {
+ rejectUnauthorized: true,
+ timeout: 60000,
+ headers: {
+ 'User-Agent': ua(),
+ },
+ encoding: null,
+ };
+
+ assert.deepStrictEqual(opts(), expected);
+ });
+ });
+
+ describe('with SASS_REJECT_UNAUTHORIZED set to false', function() {
+ beforeEach(function() {
+ process.env.SASS_REJECT_UNAUTHORIZED = '0';
+ });
+
it('should look as we expect', function() {
var expected = {
rejectUnauthorized: false,
@@ -70,5 +89,47 @@ describe('util', function() {
assert.deepStrictEqual(opts(), expected);
});
});
+
+ describe('with SASS_REJECT_UNAUTHORIZED set to true', function() {
+ beforeEach(function() {
+ process.env.SASS_REJECT_UNAUTHORIZED = '1';
+ });
+
+ it('should look as we expect', function() {
+ var expected = {
+ rejectUnauthorized: true,
+ timeout: 60000,
+ headers: {
+ 'User-Agent': ua(),
+ },
+ encoding: null,
+ };
+
+ assert.deepStrictEqual(opts(), expected);
+ });
+ });
+
+ describe('with npm_config_sass_reject_unauthorized set to true', function() {
+ beforeEach(function() {
+ process.env.npm_config_sass_reject_unauthorized = true;
+ });
+
+ it('should look as we expect', function() {
+ var expected = {
+ rejectUnauthorized: true,
+ timeout: 60000,
+ headers: {
+ 'User-Agent': ua(),
+ },
+ encoding: null,
+ };
+
+ assert.deepStrictEqual(opts(), expected);
+ });
+
+ afterEach(function() {
+ process.env.npm_config_sass_reject_unauthorized = undefined;
+ });
+ });
});
}); |
Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default.
Add configuration flag to override this to false if necessary.
Add doc option to README.md