From 4b044802836c623adb90ac31a690ebdd4530a199 Mon Sep 17 00:00:00 2001 From: Alistair Smith Date: Tue, 13 May 2025 15:05:41 -0700 Subject: [PATCH] changes --- src/js/internal/tls.ts | 16 ++++++++++++++++ src/js/node/net.ts | 12 ++++++++++-- .../node/tls/node-tls-reject-unauthorized-env.ts | 5 +++++ 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 test/js/node/tls/node-tls-reject-unauthorized-env.ts diff --git a/src/js/internal/tls.ts b/src/js/internal/tls.ts index ea815efa07..b02a5a11c0 100644 --- a/src/js/internal/tls.ts +++ b/src/js/internal/tls.ts @@ -295,7 +295,23 @@ function validateTLSOptions(options: any) { } } +let warnOnAllowUnauthorized = true; + +function getAllowUnauthorized(): boolean { + const allowUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === "0"; + + if (allowUnauthorized && warnOnAllowUnauthorized) { + warnOnAllowUnauthorized = false; + process.emitWarning( + "Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS " + + "connections and HTTPS requests insecure by disabling certificate verification.", + ); + } + return allowUnauthorized; +} + export default { + getAllowUnauthorized, isValidTLSArray, isValidTLSItem, resolveTLSVersions, diff --git a/src/js/node/net.ts b/src/js/node/net.ts index 5d8194729e..8641e63869 100644 --- a/src/js/node/net.ts +++ b/src/js/node/net.ts @@ -22,6 +22,7 @@ // USE OR OTHER DEALINGS IN THE SOFTWARE. const { Duplex } = require("node:stream"); const EventEmitter = require("node:events"); +const { getAllowUnauthorized } = require("internal/tls"); const [addServerName, upgradeDuplexToTLS, isNamedPipeSocket, getBufferedAmount] = $zig( "socket.zig", "createNodeTLSBinding", @@ -284,6 +285,9 @@ const SocketHandlers: SocketHandler = { self.authorized = false; self.authorizationError = verifyError.code || verifyError.message; if (self._rejectUnauthorized) { + self.emit("secure", self); + self.emit("_tlsError", verifyError); + self.server.emit("tlsClientError", verifyError, self); self.destroy(verifyError); return; } @@ -425,7 +429,7 @@ const ServerHandlers: SocketHandler = { self._securePending = false; self.secureConnecting = false; self._secureEstablished = !!success; - self.servername = socket.getServername(); + self.servername = socket.getServername() || socket.host || socket.servername; const server = self.server; self.alpnProtocol = socket.alpnProtocol; @@ -437,6 +441,8 @@ const ServerHandlers: SocketHandler = { if (self._rejectUnauthorized) { // if we reject we still need to emit secure self.emit("secure", self); + self.emit("_tlsError", verifyError); + self.server.emit("tlsClientError", verifyError, self); self.destroy(verifyError); return; } @@ -766,7 +772,9 @@ Socket.prototype.connect = function connect(...args) { this._rejectUnauthorized = rejectUnauthorized; tls.rejectUnauthorized = rejectUnauthorized; } else { - this._rejectUnauthorized = tls.rejectUnauthorized; + const allowUnauth = getAllowUnauthorized(); + this._rejectUnauthorized = !allowUnauth; + tls.rejectUnauthorized = !allowUnauth; } tls.requestCert = true; tls.session = session || tls.session; diff --git a/test/js/node/tls/node-tls-reject-unauthorized-env.ts b/test/js/node/tls/node-tls-reject-unauthorized-env.ts new file mode 100644 index 0000000000..dd7f68d072 --- /dev/null +++ b/test/js/node/tls/node-tls-reject-unauthorized-env.ts @@ -0,0 +1,5 @@ +import { describe, it } from "bun:test"; + +describe("Bun respects the NODE_TLS_REJECT_UNAUTHORIZED environment variables", () => { + it.todo("should reject unauthorized certificates by default"); +});