add NODE_TLS_REJECT_UNAUTHORIZED (#4829)

author: Ciro Spaciari <ciro.spaciari@gmail.com> 2023-09-12 01:52:31 -0300
committer: GitHub <noreply@github.com> 2023-09-11 21:52:31 -0700
commit: 8615b8ad6bb0be203f1b9237749a44dadc1184ee (patch)
tree: 49c3b954d03c941f964af56ccf31a2da59a383c9
parent: 49928392329dbf5d70c7c647cf948e1f35f2d1f6 (diff)
download: bun-8615b8ad6bb0be203f1b9237749a44dadc1184ee.tar.gz
bun-8615b8ad6bb0be203f1b9237749a44dadc1184ee.tar.zst
bun-8615b8ad6bb0be203f1b9237749a44dadc1184ee.zip
7 files changed, 60 insertions, 1 deletions
diff --git a/src/bun.js/webcore/response.zig b/src/bun.js/webcore/response.zig
index 6e0f92f9c..0e80adfc4 100644
--- a/src/bun.js/webcore/response.zig
+++ b/src/bun.js/webcore/response.zig
@@ -1563,7 +1563,7 @@ pub const Fetch = struct {
 
         var url_proxy_buffer: []const u8 = undefined;
         var is_file_url = false;
-        var reject_unauthorized = true;
+        var reject_unauthorized = script_ctx.bundler.env.getTLSRejectUnauthorized();
         var check_server_identity: JSValue = .zero;
         // TODO: move this into a DRYer implementation
         // The status quo is very repetitive and very bug prone
diff --git a/src/cli/create_command.zig b/src/cli/create_command.zig
index d661e3aab..b052a11df 100644
--- a/src/cli/create_command.zig
+++ b/src/cli/create_command.zig
@@ -1879,6 +1879,8 @@ pub const Example = struct {
             HTTP.FetchRedirect.follow,
         );
         async_http.client.progress_node = progress;
+        async_http.client.reject_unauthorized = env_loader.getTLSRejectUnauthorized();
+
         const response = try async_http.sendSync(true);
 
         switch (response.status_code) {
@@ -1955,6 +1957,8 @@ pub const Example = struct {
             HTTP.FetchRedirect.follow,
         );
         async_http.client.progress_node = progress;
+        async_http.client.reject_unauthorized = env_loader.getTLSRejectUnauthorized();
+
         var response = try async_http.sendSync(true);
 
         switch (response.status_code) {
@@ -2043,6 +2047,7 @@ pub const Example = struct {
             HTTP.FetchRedirect.follow,
         );
         async_http.client.progress_node = progress;
+        async_http.client.reject_unauthorized = env_loader.getTLSRejectUnauthorized();
 
         refresher.maybeRefresh();
 
@@ -2084,6 +2089,7 @@ pub const Example = struct {
             null,
             HTTP.FetchRedirect.follow,
         );
+        async_http.client.reject_unauthorized = env_loader.getTLSRejectUnauthorized();
 
         if (Output.enable_ansi_colors) {
             async_http.client.progress_node = progress_node;
diff --git a/src/cli/upgrade_command.zig b/src/cli/upgrade_command.zig
index c48e32aca..60ae953d3 100644
--- a/src/cli/upgrade_command.zig
+++ b/src/cli/upgrade_command.zig
@@ -236,6 +236,8 @@ pub const UpgradeCommand = struct {
             null,
             HTTP.FetchRedirect.follow,
         );
+        async_http.client.reject_unauthorized = env_loader.getTLSRejectUnauthorized();
+
         if (!silent) async_http.client.progress_node = progress;
         const response = try async_http.sendSync(true);
 
@@ -481,6 +483,8 @@ pub const UpgradeCommand = struct {
             );
             async_http.client.timeout = timeout;
             async_http.client.progress_node = progress;
+            async_http.client.reject_unauthorized = env_loader.getTLSRejectUnauthorized();
+
             const response = try async_http.sendSync(true);
 
             switch (response.status_code) {
diff --git a/src/env_loader.zig b/src/env_loader.zig
index 7f0be98a7..9d0c69d04 100644
--- a/src/env_loader.zig
+++ b/src/env_loader.zig
@@ -87,6 +87,15 @@ pub const Loader = struct {
         }
     }
 
+    pub fn getTLSRejectUnauthorized(this: *Loader) bool {
+        if (this.map.get("NODE_TLS_REJECT_UNAUTHORIZED")) |reject| {
+            if (strings.eql(reject, "0")) return false;
+            if (strings.eql(reject, "false")) return false;
+        }
+        // default: true
+        return true;
+    }
+
     pub fn getHttpProxy(this: *Loader, url: URL) ?URL {
         // TODO: When Web Worker support is added, make sure to intern these strings
         var http_proxy: ?URL = null;
diff --git a/src/install/install.zig b/src/install/install.zig
index bf6422cc7..d7113cfe9 100644
--- a/src/install/install.zig
+++ b/src/install/install.zig
@@ -343,6 +343,8 @@ const NetworkTask = struct {
             HTTP.FetchRedirect.follow,
             null,
         );
+        this.http.client.reject_unauthorized = this.package_manager.tlsRejectUnauthorized();
+
         this.callback = .{
             .package_manifest = .{
                 .name = try strings.StringOrTinyString.initAppendIfNeeded(name, *FileSystem.FilenameStore, &FileSystem.FilenameStore.instance),
@@ -421,6 +423,8 @@ const NetworkTask = struct {
             HTTP.FetchRedirect.follow,
             null,
         );
+        this.http.client.reject_unauthorized = this.package_manager.tlsRejectUnauthorized();
+
         this.callback = .{ .extract = tarball };
     }
 };
@@ -1679,6 +1683,10 @@ pub const PackageManager = struct {
         return this.env.getHttpProxy(url);
     }
 
+    pub fn tlsRejectUnauthorized(this: *PackageManager) bool {
+        return this.env.getTLSRejectUnauthorized();
+    }
+
     pub const WakeHandler = struct {
         // handler: fn (ctx: *anyopaque, pm: *PackageManager) void = undefined,
         // onDependencyError: fn (ctx: *anyopaque, Dependency, PackageID, anyerror) void = undefined,
diff --git a/test/js/web/fetch/fetch-reject-authorized-env-fixture.js b/test/js/web/fetch/fetch-reject-authorized-env-fixture.js
new file mode 100644
index 000000000..c3d13c747
--- /dev/null
+++ b/test/js/web/fetch/fetch-reject-authorized-env-fixture.js
@@ -0,0 +1,8 @@
+const { SERVER } = process.env;
+
+try {
+  const result = await fetch(SERVER).then(res => res.text());
+  if (result !== "Hello World") process.exit(2);
+} catch (err) {
+  process.exit(err.code === "ERR_TLS_CERT_ALTNAME_INVALID" ? 1 : 3);
+}
diff --git a/test/js/web/fetch/fetch.tls.test.ts b/test/js/web/fetch/fetch.tls.test.ts
index 184cbad8b..d8a844ed7 100644
--- a/test/js/web/fetch/fetch.tls.test.ts
+++ b/test/js/web/fetch/fetch.tls.test.ts
@@ -1,5 +1,7 @@
 import { it, expect } from "bun:test";
 import tls from "tls";
+import { join } from "node:path";
+import { bunEnv, bunExe } from "harness";
 
 type TLSOptions = {
   cert: string;
@@ -130,6 +132,28 @@ it("fetch with invalid tls + rejectUnauthorized: false should not throw", async
   });
 });
 
+it("fetch should respect rejectUnauthorized env", async () => {
+  await createServer(CERT_EXPIRED, async port => {
+    const url = `https://localhost:${port}`;
+
+    for (let i = 0; i < 2; i++) {
+      const proc = Bun.spawn({
+        env: {
+          ...bunEnv,
+          SERVER: url,
+          NODE_TLS_REJECT_UNAUTHORIZED: i.toString(),
+        },
+        stderr: "inherit",
+        stdout: "inherit",
+        cmd: [bunExe(), join(import.meta.dir, "fetch-reject-authorized-env-fixture.js")],
+      });
+
+      const exitCode = await proc.exited;
+      expect(exitCode).toBe(i);
+    }
+  });
+});
+
 it("can handle multiple requests with non native checkServerIdentity", async () => {
   await createServer(CERT_LOCALHOST_IP, async port => {
     async function request() {
author	Ciro Spaciari <ciro.spaciari@gmail.com>	2023-09-12 01:52:31 -0300
committer	GitHub <noreply@github.com>	2023-09-11 21:52:31 -0700
commit	8615b8ad6bb0be203f1b9237749a44dadc1184ee (patch)
tree	49c3b954d03c941f964af56ccf31a2da59a383c9
parent	49928392329dbf5d70c7c647cf948e1f35f2d1f6 (diff)
download	bun-8615b8ad6bb0be203f1b9237749a44dadc1184ee.tar.gz bun-8615b8ad6bb0be203f1b9237749a44dadc1184ee.tar.zst bun-8615b8ad6bb0be203f1b9237749a44dadc1184ee.zip