From 76de3fbb898a0799758f8bee50f2141f9c70874c Mon Sep 17 00:00:00 2001 From: Scott Anderson Date: Fri, 16 Jul 2021 12:24:17 +0100 Subject: [PATCH] Set rejectUnauthorized to true by default Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default. Add configuration flag to override this to false if necessary. Add doc option to README.md --- README.md | 13 +++++----- scripts/util/downloadoptions.js | 2 +- test/downloadoptions.js | 42 +++++++++++++++++++++++++++++++-- 3 files changed, 48 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index f19667a70..9ecf18b02 100644 --- a/README.md +++ b/README.md @@ -595,12 +595,13 @@ When compiling a directory `--source-map` can either be a boolean value or a dir node-sass supports different configuration parameters to change settings related to the sass binary such as binary name, binary path or alternative download path. Following parameters are supported by node-sass: -Variable name | .npmrc parameter | Process argument | Value ------------------|------------------|--------------------|------ -SASS_BINARY_NAME | sass_binary_name | --sass-binary-name | path -SASS_BINARY_SITE | sass_binary_site | --sass-binary-site | URL -SASS_BINARY_PATH | sass_binary_path | --sass-binary-path | path -SASS_BINARY_DIR | sass_binary_dir | --sass-binary-dir | path +Variable name | .npmrc parameter | Process argument | Value +-------------------------|--------------------------|----------------------------|------ +SASS_BINARY_NAME | sass_binary_name | --sass-binary-name | path +SASS_BINARY_SITE | sass_binary_site | --sass-binary-site | URL +SASS_BINARY_PATH | sass_binary_path | --sass-binary-path | path +SASS_BINARY_DIR | sass_binary_dir | --sass-binary-dir | path +SASS_REJECT_UNAUTHORIZED | sass_reject_unauthorized | --sass-reject-unauthorized | value These parameters can be used as environment variable: diff --git a/scripts/util/downloadoptions.js b/scripts/util/downloadoptions.js index 23529716f..4fc5a716b 100644 --- a/scripts/util/downloadoptions.js +++ b/scripts/util/downloadoptions.js @@ -14,7 +14,7 @@ var proxy = require('./proxy'), */ module.exports = function() { var options = { - rejectUnauthorized: false, + rejectUnauthorized: process.env.NODE_SASS_REJECT_UNAUTHORIZED !== '0', timeout: 60000, headers: { 'User-Agent': userAgent(), diff --git a/test/downloadoptions.js b/test/downloadoptions.js index de8963842..75fb39f6c 100644 --- a/test/downloadoptions.js +++ b/test/downloadoptions.js @@ -8,7 +8,7 @@ describe('util', function() { describe('without a proxy', function() { it('should look as we expect', function() { var expected = { - rejectUnauthorized: false, + rejectUnauthorized: true, timeout: 60000, headers: { 'User-Agent': ua(), @@ -33,7 +33,7 @@ describe('util', function() { it('should look as we expect', function() { var expected = { - rejectUnauthorized: false, + rejectUnauthorized: true, proxy: proxy, timeout: 60000, headers: { @@ -57,6 +57,25 @@ describe('util', function() { delete process.env.HTTP_PROXY; }); + it('should look as we expect', function() { + var expected = { + rejectUnauthorized: true, + timeout: 60000, + headers: { + 'User-Agent': ua(), + }, + encoding: null, + }; + + assert.deepStrictEqual(opts(), expected); + }); + }); + + describe('with NODE_SASS_REJECT_UNAUTHORIZED set to false', function() { + beforeEach(function() { + process.env.NODE_SASS_REJECT_UNAUTHORIZED = '0'; + }); + it('should look as we expect', function() { var expected = { rejectUnauthorized: false, @@ -70,5 +89,24 @@ describe('util', function() { assert.deepStrictEqual(opts(), expected); }); }); + + describe('with NODE_SASS_REJECT_UNAUTHORIZED set to true', function() { + beforeEach(function() { + process.env.NODE_SASS_REJECT_UNAUTHORIZED = '1'; + }); + + it('should look as we expect', function() { + var expected = { + rejectUnauthorized: true, + timeout: 60000, + headers: { + 'User-Agent': ua(), + }, + encoding: null, + }; + + assert.deepStrictEqual(opts(), expected); + }); + }); }); });