Skip to content

feat: add allowSelfSignedCerts config for corporate TLS#239

Merged
RobertLD merged 1 commit intomainfrom
fix/allow-self-signed-certs
Mar 2, 2026
Merged

feat: add allowSelfSignedCerts config for corporate TLS#239
RobertLD merged 1 commit intomainfrom
fix/allow-self-signed-certs

Conversation

@RobertLD
Copy link
Owner

@RobertLD RobertLD commented Mar 2, 2026

Adds indexing.allowSelfSignedCerts config option to accept self-signed or untrusted TLS certificates when fetching URLs from internal servers.

Problem: Fetching from internal services (e.g. Confluence) behind corporate CAs with self-signed certificates fails with SELF_SIGNED_CERT_IN_CHAIN.

Fix:

  • New config key: indexing.allowSelfSignedCerts (default: false)
  • New env var: LIBSCOPE_ALLOW_SELF_SIGNED_CERTS
  • CLI: libscope config set indexing.allowSelfSignedCerts true
  • Temporarily sets NODE_TLS_REJECT_UNAUTHORIZED=0 during fetch, restores after
  • Wired through CLI, MCP server, and API routes

Docs updated: README, docs site (configuration guide, reference, CLI reference), agents.md (added full Documentation section with checklist for future changes).

@RobertLD
feat: add allowSelfSignedCerts config for corporate TLS
8df946b 
Adds indexing.allowSelfSignedCerts config option to accept self-signed
or untrusted TLS certificates when fetching URLs from internal servers.

- New config key: indexing.allowSelfSignedCerts (default: false)
- New env var: LIBSCOPE_ALLOW_SELF_SIGNED_CERTS
- CLI: libscope config set indexing.allowSelfSignedCerts true
- Wired through CLI, MCP server, and API routes
- Updated README, docs site, and agents.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@vercel
Copy link

vercel bot commented Mar 2, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
libscope Building Building Preview, Comment Mar 2, 2026 5:03pm

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 2, 2026
View reviewed changes
src/core/url-fetcher.ts
// Node's native fetch (undici) reads this env var at connection time.
const prevTls = process.env["NODE_TLS_REJECT_UNAUTHORIZED"];
if (allowSelfSignedCerts) {
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = "0";

Check failure

Code scanning / CodeQL

Disabling certificate validation High

Disabling certificate validation is strongly discouraged.

Copilot Autofix

AI 17 days ago

In general, the fix is to stop using the global NODE_TLS_REJECT_UNAUTHORIZED environment variable to disable TLS verification and instead configure TLS behaviour on a per‑connection or per‑request basis, or simply always enforce certificate validation. That way, TLS security is never globally turned off, and any exceptional handling of self‑signed certificates can be constrained and explicit.

For this code, the safest fix that preserves existing functionality as much as possible is:

  • Remove the logic that mutates process.env["NODE_TLS_REJECT_UNAUTHORIZED"].
  • Pass the allowSelfSignedCerts flag down into _fetchWithRedirects, and, inside that function, configure the underlying HTTP client for that single request. However, we don’t see _fetchWithRedirects’s implementation, so we must not assume or change its internals.
  • Within the shown snippet, the only change we can safely make is to stop disabling TLS globally and instead ignore allowSelfSignedCerts here. This will enforce proper certificate validation for all requests, eliminating the vulnerability. The behavioural change is that self‑signed/untrusted certs will now cause fetch to fail instead of being accepted; given the security guidance, that is appropriate.

Concretely, in src/core/url-fetcher.ts, in fetchWithRedirects, remove lines 159–175 (the env var manipulation and try/finally) and replace the function body with a direct call to _fetchWithRedirects(url, timeout, maxRedirects, allowPrivateUrls);. The function signature can remain as is so existing callers don’t break; we just stop using allowSelfSignedCerts here. No new imports or helper methods are needed for this minimal, secure fix.

Suggested changeset 1
src/core/url-fetcher.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/core/url-fetcher.ts b/src/core/url-fetcher.ts
--- a/src/core/url-fetcher.ts
+++ b/src/core/url-fetcher.ts
@@ -156,23 +156,10 @@
   allowPrivateUrls: boolean,
   allowSelfSignedCerts: boolean,
 ): Promise<Response> {
-  // Temporarily disable TLS verification when self-signed certs are allowed.
-  // Node's native fetch (undici) reads this env var at connection time.
-  const prevTls = process.env["NODE_TLS_REJECT_UNAUTHORIZED"];
-  if (allowSelfSignedCerts) {
-    process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = "0";
-  }
-  try {
-    return await _fetchWithRedirects(url, timeout, maxRedirects, allowPrivateUrls);
-  } finally {
-    if (allowSelfSignedCerts) {
-      if (prevTls === undefined) {
-        delete process.env["NODE_TLS_REJECT_UNAUTHORIZED"];
-      } else {
-        process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = prevTls;
-      }
-    }
-  }
+  // Note: TLS certificate validation is always enforced. Self-signed or untrusted
+  // certificates will cause the request to fail rather than disabling verification
+  // globally via NODE_TLS_REJECT_UNAUTHORIZED.
+  return _fetchWithRedirects(url, timeout, maxRedirects, allowPrivateUrls);
 }
 
 async function _fetchWithRedirects(
EOF
@@ -156,23 +156,10 @@
allowPrivateUrls: boolean,
allowSelfSignedCerts: boolean,
): Promise<Response> {
// Temporarily disable TLS verification when self-signed certs are allowed.
// Node's native fetch (undici) reads this env var at connection time.
const prevTls = process.env["NODE_TLS_REJECT_UNAUTHORIZED"];
if (allowSelfSignedCerts) {
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = "0";
}
try {
return await _fetchWithRedirects(url, timeout, maxRedirects, allowPrivateUrls);
} finally {
if (allowSelfSignedCerts) {
if (prevTls === undefined) {
delete process.env["NODE_TLS_REJECT_UNAUTHORIZED"];
} else {
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = prevTls;
}
}
}
// Note: TLS certificate validation is always enforced. Self-signed or untrusted
// certificates will cause the request to fail rather than disabling verification
// globally via NODE_TLS_REJECT_UNAUTHORIZED.
return _fetchWithRedirects(url, timeout, maxRedirects, allowPrivateUrls);
}

async function _fetchWithRedirects(
Copilot is powered by AI and may make mistakes. Always verify output.
@RobertLD RobertLD merged commit 858ad1c into main Mar 2, 2026
8 of 9 checks passed
@RobertLD RobertLD deleted the fix/allow-self-signed-certs branch March 2, 2026 17:06
@github-actions github-actions bot mentioned this pull request Mar 2, 2026
Closed
@RobertLD RobertLD mentioned this pull request Mar 2, 2026
Merged
This was referenced Mar 5, 2026
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RobertLD