2023-05-03 11:06:20 +02:00
== Why is this an issue?
2020-06-30 14:41:58 +02:00
include::../description.adoc[]
2023-05-03 11:06:20 +02:00
=== Noncompliant code example
2020-06-30 14:41:58 +02:00
There is no way to disable certificate verification in tls, https and request modules but it is possible to not reject request when verification fails.
2021-02-02 15:02:10 +01:00
2020-06-30 14:41:58 +02:00
https://nodejs.org/api/https.html[https] built-in module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 14:41:58 +02:00
----
let options = {
2020-12-21 15:38:52 +01:00
hostname: 'www.example.com',
2020-06-30 14:41:58 +02:00
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Noncompliant
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
----
https://nodejs.org/api/tls.html[tls] built-in module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 14:41:58 +02:00
----
let options = {
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Noncompliant
};
let socket = tls.connect(443, "www.example.com", options, () => {
process.stdin.pipe(socket);
process.stdin.resume();
}); // Noncompliant
----
https://www.npmjs.com/package/request[request] module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 14:41:58 +02:00
----
let socket = request.get({
2020-12-21 15:38:52 +01:00
url: 'www.example.com',
2020-06-30 14:41:58 +02:00
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Noncompliant
});
----
2023-05-03 11:06:20 +02:00
=== Compliant solution
2020-06-30 14:41:58 +02:00
https://nodejs.org/api/https.html[https] built-in module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 14:41:58 +02:00
----
let options = {
2020-12-21 15:38:52 +01:00
hostname: 'www.example.com',
2020-06-30 14:41:58 +02:00
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method'
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Compliant: by default rejectUnauthorized is set to true
----
https://nodejs.org/api/tls.html[tls] built-in module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 14:41:58 +02:00
----
let options = {
secureProtocol: 'TLSv1_2_method'
};
let socket = tls.connect(443, "www.example.com", options, () => {
process.stdin.pipe(socket);
process.stdin.resume();
}); // Compliant: by default rejectUnauthorized is set to true
----
https://www.npmjs.com/package/request[request] module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 14:41:58 +02:00
----
let socket = request.get({
url: 'https://www.example.com/',
secureProtocol: 'TLSv1_2_method' // Compliant
}); // Compliant: by default rejectUnauthorized is set to true
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::highlighting.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
