New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added 'rejectUnauthorized' to support self-signed TLS certificates #567
Conversation
🎉 |
Added 'rejectUnauthorized' to support self-signed TLS certificates
really? blindly adding that option should be no solution... if @cuongvo is using a self-signed certificate he should import that so https is working correcetly. |
There is not much leeway for users behind corporate firewalls anyway. From our part, we are opting for most lenient settings, so our install scrip can grab libsass binary. |
Well, the point of https and server certificates is that you can trust the server and not a man-in-the-middle. And this change disabled this. At least it could be optional (eg. use an env var like for proxy settings). But I have to say that I don't know how corporate firewalls usually work with https. |
Bumping this after 6 years:
Applying this insecure flag by default only to make optional binary configuration parameters work is not ideal. Since the Lines 242 to 250 in 5a4a48a
I understand this, but you should at least consider letting node-sass users know the risk in the README section. This should be treated as a security bug. |
Shall we revert this? |
Agreed this should be optional and clearly documented. This is a path for folks with issues with the install and are knowingly bypassing certificate verification. Normal users should have the secure path by default. 6 year ago me shouldn't have sent in this PR 😅 I don't have the context on the impact of reverting this change. It may be worth considering this more thoroughly. I can see this breaking users who depend on this being insecure for their build servers and releases in internal environments that will need to modify code. |
Wouldn't it be enough to check if the user has set either: Lines 243 to 246 in 5a4a48a
If that's the case apply the |
Hi, is there a fix for CVE-2020-24025? thanks in advance! |
Version 5.0.0 was released in August, but through reading the source code of 5.0.0, we found that this issue is still unresolved. Is there a plan to fix this issue? |
Function: Fixes str-slice behavior (sass#565)
Per #566