Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

Commit

Permalink
Set rejectUnauthorized to true by default (#3149)
Browse files Browse the repository at this point in the history
Resolve CVE-2020-240-25 by setting rejectUnauthorized to true by default.

Add configuration flag to override this to false if necessary.

extract rejectUnauthorized download option to its own file.

Add doc option to README.md.
  • Loading branch information
sanderson-ut authored Nov 28, 2021
1 parent e80d4af commit 0a21792
Show file tree
Hide file tree
Showing 4 changed files with 121 additions and 10 deletions.
15 changes: 9 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -596,12 +596,13 @@ When compiling a directory `--source-map` can either be a boolean value or a dir

node-sass supports different configuration parameters to change settings related to the sass binary such as binary name, binary path or alternative download path. Following parameters are supported by node-sass:

Variable name | .npmrc parameter | Process argument | Value
-----------------|------------------|--------------------|------
SASS_BINARY_NAME | sass_binary_name | --sass-binary-name | path
SASS_BINARY_SITE | sass_binary_site | --sass-binary-site | URL
SASS_BINARY_PATH | sass_binary_path | --sass-binary-path | path
SASS_BINARY_DIR | sass_binary_dir | --sass-binary-dir | path
Variable name | .npmrc parameter | Process argument | Value
-------------------------|--------------------------|----------------------------|------
SASS_BINARY_NAME | sass_binary_name | --sass-binary-name | path
SASS_BINARY_SITE | sass_binary_site | --sass-binary-site | URL
SASS_BINARY_PATH | sass_binary_path | --sass-binary-path | path
SASS_BINARY_DIR | sass_binary_dir | --sass-binary-dir | path
SASS_REJECT_UNAUTHORIZED | sass_reject_unauthorized | --sass-reject-unauthorized | value

These parameters can be used as environment variable:

Expand All @@ -615,6 +616,8 @@ As a process argument:

* E.g. `npm install node-sass --sass-binary-site=http://example.com/`

If you are using self-signed certificates for your binary then `SASS_REJECT_UNAUTHORIZED` will override (rejectUnauthorized)[https://nodejs.org/docs/latest/api/tls.html#tls_tls_createserver_options_secureconnectionlistener].

## Post-install Build

Install runs only two Mocha tests to see if your machine can use the pre-built [LibSass] which will save some time during install. If any tests fail it will build from source.
Expand Down
5 changes: 3 additions & 2 deletions scripts/util/downloadoptions.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
var proxy = require('./proxy'),
userAgent = require('./useragent');
userAgent = require('./useragent'),
rejectUnauthorized = require('./rejectUnauthorized');

/**
* The options passed to request when downloading the bibary
Expand All @@ -14,7 +15,7 @@ var proxy = require('./proxy'),
*/
module.exports = function() {
var options = {
rejectUnauthorized: false,
rejectUnauthorized: rejectUnauthorized(),
timeout: 60000,
headers: {
'User-Agent': userAgent(),
Expand Down
46 changes: 46 additions & 0 deletions scripts/util/rejectUnauthorized.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
var pkg = require('../../package.json');

/**
* Get the value of a CLI argument
*
* @param {String} name
* @param {Array} args
* @api private
*/
function getArgument(name, args) {
var flags = args || process.argv.slice(2),
index = flags.lastIndexOf(name);

if (index === -1 || index + 1 >= flags.length) {
return null;
}

return flags[index + 1];
}

/**
* Get the value of reject-unauthorized
* If environment variable SASS_REJECT_UNAUTHORIZED is non-zero,
* .npmrc variable sass_reject_unauthorized or
* process argument --sass-reject_unauthorized is provided,
* set rejectUnauthorized to true
* Else set to false by default
*
* @return {Boolean} The value of rejectUnauthorized
* @api private
*/
module.exports = function() {
var rejectUnauthorized = false;

if (getArgument('--sass-reject-unauthorized')) {
rejectUnauthorized = getArgument('--sass-reject-unauthorized');
} else if (process.env.SASS_REJECT_UNAUTHORIZED !== '0') {
rejectUnauthorized = true;
} else if (process.env.npm_config_sass_reject_unauthorized) {
rejectUnauthorized = process.env.npm_config_sass_reject_unauthorized;
} else if (pkg.nodeSassConfig && pkg.nodeSassConfig.rejectUnauthorized) {
rejectUnauthorized = pkg.nodeSassConfig.rejectUnauthorized;
}

return rejectUnauthorized;
};
65 changes: 63 additions & 2 deletions test/downloadoptions.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ describe('util', function() {
describe('without a proxy', function() {
it('should look as we expect', function() {
var expected = {
rejectUnauthorized: false,
rejectUnauthorized: true,
timeout: 60000,
headers: {
'User-Agent': ua(),
Expand All @@ -33,7 +33,7 @@ describe('util', function() {

it('should look as we expect', function() {
var expected = {
rejectUnauthorized: false,
rejectUnauthorized: true,
proxy: proxy,
timeout: 60000,
headers: {
Expand All @@ -57,6 +57,25 @@ describe('util', function() {
delete process.env.HTTP_PROXY;
});

it('should look as we expect', function() {
var expected = {
rejectUnauthorized: true,
timeout: 60000,
headers: {
'User-Agent': ua(),
},
encoding: null,
};

assert.deepStrictEqual(opts(), expected);
});
});

describe('with SASS_REJECT_UNAUTHORIZED set to false', function() {
beforeEach(function() {
process.env.SASS_REJECT_UNAUTHORIZED = '0';
});

it('should look as we expect', function() {
var expected = {
rejectUnauthorized: false,
Expand All @@ -70,5 +89,47 @@ describe('util', function() {
assert.deepStrictEqual(opts(), expected);
});
});

describe('with SASS_REJECT_UNAUTHORIZED set to true', function() {
beforeEach(function() {
process.env.SASS_REJECT_UNAUTHORIZED = '1';
});

it('should look as we expect', function() {
var expected = {
rejectUnauthorized: true,
timeout: 60000,
headers: {
'User-Agent': ua(),
},
encoding: null,
};

assert.deepStrictEqual(opts(), expected);
});
});

describe('with npm_config_sass_reject_unauthorized set to true', function() {
beforeEach(function() {
process.env.npm_config_sass_reject_unauthorized = true;
});

it('should look as we expect', function() {
var expected = {
rejectUnauthorized: true,
timeout: 60000,
headers: {
'User-Agent': ua(),
},
encoding: null,
};

assert.deepStrictEqual(opts(), expected);
});

afterEach(function() {
process.env.npm_config_sass_reject_unauthorized = undefined;
});
});
});
});

0 comments on commit 0a21792

Please sign in to comment.