Skip to content

Commit e2974f6

Browse files
authored
fix(helpViewer): tls certificate validation disabled (#1702)
In src/helpViewer/cran.ts line 17, the code sets `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'` to bypass TLS certificate verification. This creates a serious security vulnerability allowing man-in-the-middle attacks when fetching packages from CRAN mirrors. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
1 parent eba52fc commit e2974f6

1 file changed

Lines changed: 0 additions & 4 deletions

File tree

src/helpViewer/cran.ts

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,17 +25,13 @@ export async function getPackagesFromCran(cranUrl: string): Promise<Package[]> {
2525
for(const site of cranSites){
2626
try{
2727
// fetch html
28-
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; // seems to fail otherwise?
2928
const res = await fetch(site.url);
3029
const html = await (res).text();
3130

3231
// parse html
3332
packages = site.parseFunction(html, site.url);
3433
} catch(e) {
3534
// These errors are expected, if the repo does not serve a specific URL
36-
} finally {
37-
// make sure to use safe https again
38-
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '1';
3935
}
4036

4137
// break if successfully fetched & parsed

0 commit comments

Comments
 (0)