Conversation
Signed-off-by: dhmlau <dhmlau@ca.ibm.com>
| // Disable SSL certificate validation for HTTPS requests | ||
| // This is acceptable for a testing/caching proxy | ||
| httpsAgent: new (require('node:https').Agent)({ | ||
| rejectUnauthorized: false, |
Check failure
Code scanning / CodeQL
Disabling certificate validation High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 3 hours ago
In general, the problem is that TLS certificate validation is disabled by setting rejectUnauthorized: false in the custom https.Agent used by Axios. The fix is to avoid disabling validation: either use the default https.Agent (no custom httpsAgent configuration at all), or explicitly set rejectUnauthorized: true. If special handling of self‑signed certificates is needed, it should be done via trusted CA configuration instead, not by turning validation off.
The minimal, non‑breaking change here is to stop passing rejectUnauthorized: false when constructing the agent. Since Node’s default HTTPS agent already enforces certificate validation, the cleanest approach is to remove the custom httpsAgent entirely and let Axios use its default. That preserves all existing behavior except for making TLS secure again. Concretely, in packages/http-caching-proxy/src/http-caching-proxy.ts, within the HttpCachingProxy constructor, we should delete the httpsAgent property (lines 92–96 in the snippet) and the associated comment about disabling SSL validation. No new imports are needed, because we will no longer use require('node:https') here. Axios will automatically use Node’s standard HTTPS handling, which validates certificates.
| @@ -89,11 +89,6 @@ | ||
| // http status code. Please note that Axios creates a new error in such | ||
| // condition and the original low-level error is lost | ||
| validateStatus: () => true, | ||
| // Disable SSL certificate validation for HTTPS requests | ||
| // This is acceptable for a testing/caching proxy | ||
| httpsAgent: new (require('node:https').Agent)({ | ||
| rejectUnauthorized: false, | ||
| }), | ||
| }); | ||
| } | ||
|
|
CI suddenly fails with:
Checklist
npm testpasses on your machinepackages/cliwere updatedexamples/*were updated👉 Check out how to submit a PR 👈