Set rejectUnauthorized to true by default

Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default.

Add configuration flag to override this to false if necessary.

Add doc option to README.md

README.md

@@ -595,12 +595,13 @@ When compiling a directory `--source-map` can either be a boolean value or a dir
 
 node-sass supports different configuration parameters to change settings related to the sass binary such as binary name, binary path or alternative download path. Following parameters are supported by node-sass:
 
-Variable name    | .npmrc parameter | Process argument   | Value
------------------|------------------|--------------------|------
-SASS_BINARY_NAME | sass_binary_name | --sass-binary-name | path
-SASS_BINARY_SITE | sass_binary_site | --sass-binary-site | URL
-SASS_BINARY_PATH | sass_binary_path | --sass-binary-path | path
-SASS_BINARY_DIR  | sass_binary_dir  | --sass-binary-dir  | path
+Variable name            | .npmrc parameter         | Process argument           | Value
+-------------------------|--------------------------|----------------------------|------
+SASS_BINARY_NAME         | sass_binary_name         | --sass-binary-name         | path
+SASS_BINARY_SITE         | sass_binary_site         | --sass-binary-site         | URL
+SASS_BINARY_PATH         | sass_binary_path         | --sass-binary-path         | path
+SASS_BINARY_DIR          | sass_binary_dir          | --sass-binary-dir          | path
+SASS_REJECT_UNAUTHORIZED | sass_reject_unauthorized | --sass-reject-unauthorized | value
 
 These parameters can be used as environment variable:
 

scripts/util/downloadoptions.js

@@ -14,7 +14,7 @@ var proxy = require('./proxy'),
  */
 module.exports = function() {
   var options = {
-    rejectUnauthorized: false,
+    rejectUnauthorized: process.env.NODE_SASS_REJECT_UNAUTHORIZED !== '0',
     timeout: 60000,
     headers: {
       'User-Agent': userAgent(),

test/downloadoptions.js

@@ -8,7 +8,7 @@ describe('util', function() {
     describe('without a proxy', function() {
       it('should look as we expect', function() {
         var expected = {
-          rejectUnauthorized: false,
+          rejectUnauthorized: true,
           timeout: 60000,
           headers: {
             'User-Agent': ua(),
@@ -33,7 +33,7 @@ describe('util', function() {
 
       it('should look as we expect', function() {
         var expected = {
-          rejectUnauthorized: false,
+          rejectUnauthorized: true,
           proxy: proxy,
           timeout: 60000,
           headers: {
@@ -57,6 +57,25 @@ describe('util', function() {
         delete process.env.HTTP_PROXY;
       });
 
+      it('should look as we expect', function() {
+        var expected = {
+          rejectUnauthorized: true,
+          timeout: 60000,
+          headers: {
+            'User-Agent': ua(),
+          },
+          encoding: null,
+        };
+
+        assert.deepStrictEqual(opts(), expected);
+      });
+    });
+
+    describe('with NODE_SASS_REJECT_UNAUTHORIZED set to false', function() {
+      beforeEach(function() {
+        process.env.NODE_SASS_REJECT_UNAUTHORIZED = '0';
+      });
+
       it('should look as we expect', function() {
         var expected = {
           rejectUnauthorized: false,
@@ -70,5 +89,24 @@ describe('util', function() {
         assert.deepStrictEqual(opts(), expected);
       });
     });
+
+    describe('with NODE_SASS_REJECT_UNAUTHORIZED set to true', function() {
+      beforeEach(function() {
+        process.env.NODE_SASS_REJECT_UNAUTHORIZED = '1';
+      });
+
+      it('should look as we expect', function() {
+        var expected = {
+          rejectUnauthorized: true,
+          timeout: 60000,
+          headers: {
+            'User-Agent': ua(),
+          },
+          encoding: null,
+        };
+
+        assert.deepStrictEqual(opts(), expected);
+      });
+    });
   });
 });