HTTPS validation

[pocallaghan]

My Mac by default doesn't have any root certs available for PHP/curl. How would you feel about adding something like:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

We could add an option to enable it if you prefer, but verifying the SSL doesn't seem massively important for a security scanning tool. Happy to make a pull request this evening, just wanted to check your thoughts.

[colinodell]

👍 I like the idea of making it an option.

[pocallaghan]

I guess it would make sense to mirror the curl interface -k, --insecure.

[steverobbins]

👍

I'd like to see your take on how to include it as an option. Passing it from ScanCommand into all the Request instances might be tricky. This whole project could use some refactoring, but that's another topic. I'm also okay with it being option-less.

[pocallaghan]

@steverobbins I think if I was to have a crack at adding the option, my preferred option would be to refactor to create the Request object in ScanCommand and (dependency) inject it into each of the MageScan/Check classes. It'd probably be easier to write tests on the check classes then too.

[pocallaghan]

@steverobbins I made a quick PoC of how'd I'd probably go about doing it, you can see it one my fork feature/insecure.

Disclaimer: I just quickly moved some code about as a proof of concept, I've not even ran the command since doing it so there could well be issues.