RQ-2425: verify upstream TLS by default (+ live toggle, clear cert errors)#108
Conversation
The proxy hardcoded `rejectUnauthorized = false` on every outbound request, silently accepting any (expired/self-signed/wrong-host/attacker) certificate from origin servers — letting a network attacker MITM all proxied HTTPS traffic with no signal to the user. Verify upstream certificates by default and only skip when the user explicitly opts in via the new `ProxyConfig.allowInsecureCerts` flag (for self-signed / internal upstreams). Defaults to secure (verify) when unset. Follow-up (desktop app): expose this as a user setting / per-host cert exception. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add setAllowInsecureCerts() on RQProxy + ProxyMiddlewareManager. Because the per-request handler reads proxyConfig.allowInsecureCerts, mutating it via this setter applies the new TLS-verification policy on the next request — no proxy restart and no app restart. Lets the desktop toggle take effect immediately. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When "Allow insecure SSL in proxy interceptor" is OFF (default) and an origin presents an untrusted/expired/self-signed cert, the proxy used to serve an ERR_NAME_NOT_RESOLVED page — misleading, since the host resolves fine. - Detect TLS cert verification errors (isCertificateError) and serve a dedicated page that names the cause (e.g. CERT_HAS_EXPIRED -> ERR_CERT_DATE_INVALID) and tells the user they can enable the insecure-SSL toggle if they trust the host. - Fix the DNS-unreachable check to use a clean hostname (headers.host minus port) instead of the full request URL, so dns.lookup() no longer reports every upstream error as ENOTFOUND. - Rebuild dist. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 29 minutes and 3 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
commit: |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/components/proxy-middleware/helpers/handleUnreachableAddress.js`:
- Line 122: The variables host and code are being directly embedded into HTML
markup without escaping, which creates a reflected XSS vulnerability where
malicious input could execute in the error page. In the template string around
line 122, use an HTML escaping function or utility to sanitize both the host and
code variables before inserting them into the HTML content. This ensures any
special HTML characters in these request-derived values are properly encoded as
HTML entities, preventing script or markup injection attacks.
In `@src/components/proxy-middleware/index.js`:
- Line 214: The hostname extraction on line 214 uses a naive split(":")[0]
approach that fails to properly parse IPv6 addresses, causing them to be
misparsed and potentially misclassified as DNS errors. Replace this splitting
logic with a robust host parsing method that correctly handles both IPv4
addresses with optional ports (e.g., "example.com:3000") and IPv6 addresses in
bracket notation (e.g., "[::1]:3000"). Consider using Node's URL class or a
dedicated host-parsing library to extract the hostname from the
ctx.clientToProxyRequest?.headers?.host value.
In `@src/rq-proxy.ts`:
- Around line 74-77: The setAllowInsecureCerts method in the RQProxy class does
not persist the toggle value if proxyMiddlewareManager is not yet initialized,
causing early toggles to be lost. Add a property to the RQProxy class to store
the insecure certs boolean value. Update the setAllowInsecureCerts method to
store the value on the RQProxy instance in addition to calling the middleware
manager's method. Then, when proxyMiddlewareManager is created during
initialization, replay the stored toggle value by calling its
setAllowInsecureCerts method with the persisted value to ensure the setting is
applied regardless of timing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 465a8e9c-5b04-4335-ac8c-15342a27821b
⛔ Files ignored due to path filters (7)
dist/components/proxy-middleware/helpers/handleUnreachableAddress.d.tsis excluded by!**/dist/**dist/components/proxy-middleware/helpers/handleUnreachableAddress.jsis excluded by!**/dist/**dist/components/proxy-middleware/index.d.tsis excluded by!**/dist/**dist/components/proxy-middleware/index.jsis excluded by!**/dist/**dist/rq-proxy.d.tsis excluded by!**/dist/**dist/rq-proxy.jsis excluded by!**/dist/**dist/types/index.d.tsis excluded by!**/dist/**
📒 Files selected for processing (4)
src/components/proxy-middleware/helpers/handleUnreachableAddress.jssrc/components/proxy-middleware/index.jssrc/rq-proxy.tssrc/types/index.ts
- handleUnreachableAddress.js: HTML-escape host/code before embedding into the
cert-error and unreachable error pages (prevents reflected markup/script
injection via a crafted request URL/host header).
- index.js: parse the upstream hostname via URL() (strip IPv6 brackets/port)
instead of split(":")[0], so IPv6 hosts aren't misclassified as
ERR_NAME_NOT_RESOLVED.
- rq-proxy.ts: remember allowInsecureCerts on RQProxy and replay it once the
middleware manager is created, so a toggle set before init isn't lost.
Rebuilt dist. Verified: malicious host is escaped in the error page; IPv6
host parsing (host:port, [::1]:443, [2001:db8::1]) resolves correctly.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2 participants
Security fix for RQ-2425 (Critical). Part of a 3-repo change (proxy + desktop-app + interceptor web app) — should merge together.
What
rejectUnauthorized = falsewith!proxyConfig.allowInsecureCerts— verify upstream TLS by default.setAllowInsecureCerts()live setter on RQProxy/ProxyMiddlewareManager so the desktop toggle applies to the running proxy without a restart.CERT_HAS_EXPIRED→ERR_CERT_DATE_INVALID, self-signed→ERR_CERT_AUTHORITY_INVALID, …) instead of a misleadingERR_NAME_NOT_RESOLVED; fix the DNS-unreachable check to use a clean hostname.Verified
End-to-end through the running proxy: bad-cert hosts (expired/self-signed) fail with default-on verification (502) and load when the toggle is on; valid certs unaffected; toggle flips live with no restart.
Summary by CodeRabbit
New Features
Bug Fixes