Set rejectUnauthorized to true by default #3149
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This would resolve #3067 |
|
Thanks! I've added the |
Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default. Add configuration flag to override this to false if necessary. extract rejectUnauthorized download option to its own file. Add doc option to README.md.
sanderson-ut
force-pushed
the
fix-CVE-2020-24025
branch
from
76de3fb
to
82e2762
Compare
sanderson-ut
changed the title
|
Added other options for changing the configuration setting and updated README. Have removed WIP tag from PR. A couple of build steps failed but I couldn't see why - is that expected @xzyfer ? |
|
Yes some of the Alpine build jobs fail. It's expected. |
|
@xzyfer - any update on when this will be merged? |
|
Hi @xzyfer - just wondering when I can expect this to be released? |
|
@xzyfer |
|
We put this into in v7 because it was technically a breaking change. |
|
@xzyfer what part of it is breaking? I see the addition of a flag, but no change in the existing flags |
|
IIRC in order to address the security concern the default value for the
flag was reversed.
…On Fri, 25 Feb 2022, 2:40 pm J Garcia, ***@***.***> wrote:
@xzyfer <https://github.com/xzyfer> what part of it is breaking? I see
the addition of a flag, but no change in the existing flags
—
Reply to this email directly, view it on GitHub
<#3149 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAENSWD3IBZLJX4HGZE65MTU4322BANCNFSM5APMRSGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
feels like a minor change to me, it doesn't break functionality right? None of the current binaries should be requiring that flag |
|
@xzyfer Would appreciate a deeper look at the feasability of a minor update, I'm definitely not the only one that can't upgrade to 7 easily, and I'll probably ignore this update or patch it manually until I can do a broader tooling upgrade |
|
patch file: diff --git a/node_modules/node-sass/scripts/util/downloadoptions.js b/node_modules/node-sass/scripts/util/downloadoptions.js
index 2352971..e9056b1 100644
--- a/node_modules/node-sass/scripts/util/downloadoptions.js
+++ b/node_modules/node-sass/scripts/util/downloadoptions.js
@@ -1,5 +1,6 @@
var proxy = require('./proxy'),
- userAgent = require('./useragent');
+ userAgent = require('./useragent'),
+ rejectUnauthorized = require('./rejectUnauthorized');
/**
* The options passed to request when downloading the bibary
@@ -14,7 +15,7 @@ var proxy = require('./proxy'),
*/
module.exports = function() {
var options = {
- rejectUnauthorized: false,
+ rejectUnauthorized: rejectUnauthorized(),
timeout: 60000,
headers: {
'User-Agent': userAgent(),
diff --git a/node_modules/node-sass/scripts/util/rejectUnauthorized.js b/node_modules/node-sass/scripts/util/rejectUnauthorized.js
new file mode 100644
index 0000000..a1c8010
--- /dev/null
+++ b/node_modules/node-sass/scripts/util/rejectUnauthorized.js
@@ -0,0 +1,46 @@
+var pkg = require('../../package.json');
+
+/**
+ * Get the value of a CLI argument
+ *
+ * @param {String} name
+ * @param {Array} args
+ * @api private
+ */
+ function getArgument(name, args) {
+ var flags = args || process.argv.slice(2),
+ index = flags.lastIndexOf(name);
+
+ if (index === -1 || index + 1 >= flags.length) {
+ return null;
+ }
+
+ return flags[index + 1];
+}
+
+/**
+ * Get the value of reject-unauthorized
+ * If environment variable SASS_REJECT_UNAUTHORIZED is non-zero,
+ * .npmrc variable sass_reject_unauthorized or
+ * process argument --sass-reject_unauthorized is provided,
+ * set rejectUnauthorized to true
+ * Else set to false by default
+ *
+ * @return {Boolean} The value of rejectUnauthorized
+ * @api private
+ */
+module.exports = function() {
+ var rejectUnauthorized = false;
+
+ if (getArgument('--sass-reject-unauthorized')) {
+ rejectUnauthorized = getArgument('--sass-reject-unauthorized');
+ } else if (process.env.SASS_REJECT_UNAUTHORIZED !== '0') {
+ rejectUnauthorized = true;
+ } else if (process.env.npm_config_sass_reject_unauthorized) {
+ rejectUnauthorized = process.env.npm_config_sass_reject_unauthorized;
+ } else if (pkg.nodeSassConfig && pkg.nodeSassConfig.rejectUnauthorized) {
+ rejectUnauthorized = pkg.nodeSassConfig.rejectUnauthorized;
+ }
+
+ return rejectUnauthorized;
+};
diff --git a/node_modules/node-sass/test/downloadoptions.js b/node_modules/node-sass/test/downloadoptions.js
index de89638..a6e2d9b 100644
--- a/node_modules/node-sass/test/downloadoptions.js
+++ b/node_modules/node-sass/test/downloadoptions.js
@@ -8,7 +8,7 @@ describe('util', function() {
describe('without a proxy', function() {
it('should look as we expect', function() {
var expected = {
- rejectUnauthorized: false,
+ rejectUnauthorized: true,
timeout: 60000,
headers: {
'User-Agent': ua(),
@@ -33,7 +33,7 @@ describe('util', function() {
it('should look as we expect', function() {
var expected = {
- rejectUnauthorized: false,
+ rejectUnauthorized: true,
proxy: proxy,
timeout: 60000,
headers: {
@@ -57,6 +57,25 @@ describe('util', function() {
delete process.env.HTTP_PROXY;
});
+ it('should look as we expect', function() {
+ var expected = {
+ rejectUnauthorized: true,
+ timeout: 60000,
+ headers: {
+ 'User-Agent': ua(),
+ },
+ encoding: null,
+ };
+
+ assert.deepStrictEqual(opts(), expected);
+ });
+ });
+
+ describe('with SASS_REJECT_UNAUTHORIZED set to false', function() {
+ beforeEach(function() {
+ process.env.SASS_REJECT_UNAUTHORIZED = '0';
+ });
+
it('should look as we expect', function() {
var expected = {
rejectUnauthorized: false,
@@ -70,5 +89,47 @@ describe('util', function() {
assert.deepStrictEqual(opts(), expected);
});
});
+
+ describe('with SASS_REJECT_UNAUTHORIZED set to true', function() {
+ beforeEach(function() {
+ process.env.SASS_REJECT_UNAUTHORIZED = '1';
+ });
+
+ it('should look as we expect', function() {
+ var expected = {
+ rejectUnauthorized: true,
+ timeout: 60000,
+ headers: {
+ 'User-Agent': ua(),
+ },
+ encoding: null,
+ };
+
+ assert.deepStrictEqual(opts(), expected);
+ });
+ });
+
+ describe('with npm_config_sass_reject_unauthorized set to true', function() {
+ beforeEach(function() {
+ process.env.npm_config_sass_reject_unauthorized = true;
+ });
+
+ it('should look as we expect', function() {
+ var expected = {
+ rejectUnauthorized: true,
+ timeout: 60000,
+ headers: {
+ 'User-Agent': ua(),
+ },
+ encoding: null,
+ };
+
+ assert.deepStrictEqual(opts(), expected);
+ });
+
+ afterEach(function() {
+ process.env.npm_config_sass_reject_unauthorized = undefined;
+ });
+ });
});
}); |
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default.
Add configuration flag to override this to false if necessary.
Add doc option to README.md