53 create a container depend directly on authentication and do not invoke as cli#64
Conversation
|
Will create merge conflicts with #62 merge that one first. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| method: 'post', | ||
| url: 'https://10.15.0.4:8006/api2/json/access/ticket', | ||
| headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, | ||
| httpsAgent: new https.Agent({ rejectUnauthorized: false }), |
Check failure
Code scanning / CodeQL
Disabling certificate validation High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
General approach:
Don't disable certificate validation. Instead, always require HTTPS endpoints to present valid CA-signed certificates. If the upstream server (Proxmox, in this case) uses a self-signed certificate, explicitly trust that certificate by providing its CA file to the HTTPS agent used by axios, instead of blanket disabling validation.
Best fix detail:
Replace rejectUnauthorized: false with the default true (or omit, since true is the default). If the remote server uses a self-signed or private CA, provide a ca parameter to the https.Agent constructor, pointing to a PEM file containing the trusted certificate authority/certificate. Store this CA certificate in a location on disk (e.g., certs/proxmox-ca.pem), load it using fs.readFileSync, and use it in the agent.
Files/regions/lines to change:
Only modify the axios login request in create-a-container/server.js, line 74, and add CA file-reading code above to provide the CA cert for the HTTPS agent if needed. Importantly, do not disable validation at any point.
What is needed:
- Add code at the top to load the CA file into a variable, if a CA cert is required.
- Change the agent initialization in the axios call to use this CA.
- Optionally, provide instructions or a placeholder for users to place their CA cert.
| @@ -13,6 +13,15 @@ | ||
| const qs = require('querystring'); | ||
| const https = require('https'); | ||
|
|
||
| // Load trusted CA certificate to validate Proxmox (use your actual CA file) | ||
| let proxmoxCa; | ||
| try { | ||
| proxmoxCa = fs.readFileSync(path.join(__dirname, 'certs', 'proxmox-ca.pem')); | ||
| } catch (err) { | ||
| console.error("ERROR: Could not load Proxmox CA certificate. Place it at ./certs/proxmox-ca.pem."); | ||
| process.exit(1); | ||
| } | ||
|
|
||
| const app = express(); | ||
| app.use(express.json()); | ||
|
|
||
| @@ -71,7 +80,7 @@ | ||
| method: 'post', | ||
| url: 'https://10.15.0.4:8006/api2/json/access/ticket', | ||
| headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, | ||
| httpsAgent: new https.Agent({ rejectUnauthorized: false }), | ||
| httpsAgent: new https.Agent({ ca: proxmoxCa }), | ||
| data: qs.stringify({ username: username + '@pve', password: password }) | ||
| }); | ||
|
|
|
Merging with #62 |
runleveldev
deleted the
53-create-a-container-depend-directly-on-authentication-and-do-not-invoke-as-cli
branch
2 participants
Closes #53