From 134629293a75633d3215abd0e8933beaa4b36a88 Mon Sep 17 00:00:00 2001 From: commenthol Date: Sat, 28 Sep 2019 15:40:35 +0200 Subject: [PATCH 1/3] feat: new option disableTLSCerts Do not reject expired or invalid TLS certs. Sets `rejectUnauthorized=true`. Be warned that this allows MITM attacks. --- src/agent-base.js | 3 ++- src/node/agent.js | 4 ++++ src/node/index.js | 14 ++++++++++++++ test/node/https.js | 9 +++++++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/agent-base.js b/src/agent-base.js index d7a1666c2..45bd6d470 100644 --- a/src/agent-base.js +++ b/src/agent-base.js @@ -23,7 +23,8 @@ function Agent() { 'ca', 'key', 'pfx', - 'cert' + 'cert', + 'disableTLSCerts' ].forEach(fn => { // Default setting for all requests from this agent Agent.prototype[fn] = function(...args) { diff --git a/src/node/agent.js b/src/node/agent.js index 283c220ad..7aa5fd037 100644 --- a/src/node/agent.js +++ b/src/node/agent.js @@ -46,6 +46,10 @@ function Agent(options) { if (options.cert) { this.cert(options.cert); } + + if (options.rejectUnauthorized === false) { + this.disableTLSCerts(); + } } } diff --git a/src/node/index.js b/src/node/index.js index 172e9966b..5b24b270c 100644 --- a/src/node/index.js +++ b/src/node/index.js @@ -642,6 +642,19 @@ Request.prototype.cert = function(cert) { return this; }; +/** + * Do not reject expired or invalid TLS certs. + * sets `rejectUnauthorized=true`. Be warned that this allows MITM attacks. + * + * @return {Request} for chaining + * @api public + */ + +Request.prototype.disableTLSCerts = function() { + this._disableTLSCerts = true; + return this; +}; + /** * Return an http[s] request. * @@ -743,6 +756,7 @@ Request.prototype.request = function() { options.cert = this._cert; options.passphrase = this._passphrase; options.agent = this._agent; + options.rejectUnauthorized = !this._disableTLSCerts; // Allows request.get('https://1.2.3.4/').set('Host', 'example.com') if (this._header.host) { diff --git a/test/node/https.js b/test/node/https.js index d16635b57..a171a77f4 100644 --- a/test/node/https.js +++ b/test/node/https.js @@ -102,6 +102,15 @@ describe('https', () => { ); }); + it('should not reject unauthorized response', () => { + return request + .get(testEndpoint) + .disableTLSCerts() + .then(({ status }) => { + assert.strictEqual(status, 200); + }); + }); + it('should trust localhost unauthorized response', () => { return request.get(testEndpoint).trustLocalhost(true); }); From 57b5bfc1938e05cb16c2ea9015fce3fadc89abca Mon Sep 17 00:00:00 2001 From: commenthol Date: Sat, 28 Sep 2019 15:57:23 +0200 Subject: [PATCH 2/3] chore: upgrade node >= 7.0.0 Need upgrade to pass linter errors: The 'Object.getOwnPropertyDescriptors' is not supported until Node.js 7.0.0. The configured version range is '>= 6.4.0' node/no-unsupported-features/es-builtins --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 705232f1e..ae11b51e2 100644 --- a/package.json +++ b/package.json @@ -73,7 +73,7 @@ "zuul": "^3.12.0" }, "engines": { - "node": ">= 6.4.0" + "node": ">= 7.0.0" }, "homepage": "https://github.com/visionmedia/superagent", "husky": { From ba08767dd8a398a6f2ad66ae067b1aed17a96458 Mon Sep 17 00:00:00 2001 From: commenthol Date: Mon, 14 Oct 2019 21:57:18 +0200 Subject: [PATCH 3/3] docs: document disableTLSCerts method --- docs/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/index.md b/docs/index.md index ab410265d..a9b9acf81 100644 --- a/docs/index.md +++ b/docs/index.md @@ -302,6 +302,7 @@ In Node.js SuperAgent supports methods to configure HTTPS requests: - `.cert()`: Set the client certificate chain(s) - `.key()`: Set the client private key(s) - `.pfx()`: Set the client PFX or PKCS12 encoded private key and certificate chain +- `.disableTLSCerts()`: Does not reject expired or invalid TLS certs. Sets internally `rejectUnauthorized=true`. *Be warned, this method allows MITM attacks.* For more information, see Node.js [https.request docs](https://nodejs.org/api/https.html#https_https_request_options_callback).