Potential fix for code scanning alert no. 38: Disabling certificate validation

[TheInfamousToTo]

Potential fix for https://github.com/TheInfamousToTo/PiHoleVault/security/code-scanning/38

To fix the problem, we should stop disabling TLS certificate validation and let Node’s default behavior verify server certificates against the system trust store. This means removing rejectUnauthorized: false and only customizing the https.Agent when strictly necessary (for example, when a trusted custom CA is configured), and even then keeping rejectUnauthorized: true.

The single best fix, without changing functionality more than necessary, is:

• Do not create an https.Agent with rejectUnauthorized: false by default.
• When useHttps is false, we don’t need an https.Agent at all.
• When useHttps is true, either:
  • Rely on the default https.Agent by omitting httpsAgent entirely, or
  • If in the wider codebase there is support for custom CA certificates, we could create an https.Agent with that CA while keeping rejectUnauthorized at its default (true). Because we are not shown such configuration here, we will choose the safe/default path: only set httpsAgent when useHttps is true, and in that case, do not override rejectUnauthorized.

Concretely in backend/services/PiHoleWebService.js, inside createApiClient:

• Compute the httpsAgent based on useHttps:
  • const httpsAgent = useHttps ? new https.Agent() : undefined;
• Pass this httpsAgent into axios.create, but only when defined.
• Remove rejectUnauthorized: false entirely.

This keeps the public interface of createApiClient unchanged while restoring proper certificate validation for HTTPS connections.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR addresses code scanning alert #38 by removing the explicit disabling of TLS certificate validation in the backend Pi-hole web client, restoring Node’s default HTTPS certificate verification behavior.

Changes:

• Removed rejectUnauthorized: false from the Axios HTTPS agent configuration.
• Only provides an httpsAgent when useHttps is enabled (and omits it for HTTP).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

new https.Agent() is being created even though no custom agent options are being set. Since createApiClient returns a new Axios instance each call, this can prevent reuse of Node’s default global agent (connection pooling / TLS session reuse) and adds overhead. Consider omitting httpsAgent entirely unless you need to customize it (e.g., custom CA or keepAlive settings), and rely on Axios/Node defaults for HTTPS.