fix: harden SSL_CERT_FILE support with Content-Length, redirects, and broader coverage

mtorp · mtorp · commit 354b0bf18c74 · 2026-03-20T09:54:09.000+01:00
- Set Content-Length header for POST bodies in httpsRequest path to avoid
  chunked transfer encoding divergence from fetch()
- Follow 3xx redirects in httpsRequest path to match fetch() behavior
- Route all fetch calls through apiFetch (GitHub API, npm registry)
- Add debug logging when certificate file read fails
diff --git a/src/commands/scan/create-scan-from-github.mts b/src/commands/scan/create-scan-from-github.mts
@@ -16,6 +16,7 @@ import { confirm, select } from '@socketsecurity/registry/lib/prompts'
 import { fetchSupportedScanFileNames } from './fetch-supported-scan-file-names.mts'
 import { handleCreateNewScan } from './handle-create-new-scan.mts'
 import constants from '../../constants.mts'
+import { apiFetch } from '../../utils/api.mts'
 import { debugApiRequest, debugApiResponse } from '../../utils/debug.mts'
 import { formatErrorWithDetail } from '../../utils/errors.mts'
 import { isReportSupportedFile } from '../../utils/glob.mts'
@@ -402,7 +403,7 @@ async function downloadManifestFile({
   debugApiRequest('GET', fileUrl)
   let downloadUrlResponse: Response
   try {
-    downloadUrlResponse = await fetch(fileUrl, {
+    downloadUrlResponse = await apiFetch(fileUrl, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${githubToken}`,
@@ -466,7 +467,7 @@ async function streamDownloadWithFetch(
 
   try {
     debugApiRequest('GET', downloadUrl)
-    response = await fetch(downloadUrl)
+    response = await apiFetch(downloadUrl)
     debugApiResponse('GET', downloadUrl, response.status)
 
     if (!response.ok) {
@@ -567,7 +568,7 @@ async function getLastCommitDetails({
   debugApiRequest('GET', commitApiUrl)
   let commitResponse: Response
   try {
-    commitResponse = await fetch(commitApiUrl, {
+    commitResponse = await apiFetch(commitApiUrl, {
       headers: {
         Authorization: `Bearer ${githubToken}`,
       },
@@ -679,7 +680,7 @@ async function getRepoDetails({
   let repoDetailsResponse: Response
   try {
     debugApiRequest('GET', repoApiUrl)
-    repoDetailsResponse = await fetch(repoApiUrl, {
+    repoDetailsResponse = await apiFetch(repoApiUrl, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${githubToken}`,
@@ -743,7 +744,7 @@ async function getRepoBranchTree({
   let treeResponse: Response
   try {
     debugApiRequest('GET', treeApiUrl)
-    treeResponse = await fetch(treeApiUrl, {
+    treeResponse = await apiFetch(treeApiUrl, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${githubToken}`,
diff --git a/src/utils/api.mts b/src/utils/api.mts
@@ -50,6 +50,7 @@ import type {
   SocketSdkSuccessResult,
 } from '@socketsecurity/sdk'
 
+const MAX_REDIRECTS = 20
 const NO_ERROR_MESSAGE = 'No error message returned'
 
 // Cached HTTPS agent for extra CA certificate support in direct API calls.
@@ -73,27 +74,61 @@ function getHttpsAgent(): HttpsAgent | undefined {
 
 // Wrapper around fetch that supports extra CA certificates via SSL_CERT_FILE.
 // Uses node:https.request with a custom agent when extra CA certs are needed,
-// falling back to regular fetch() otherwise.
-type ApiFetchInit = {
+// falling back to regular fetch() otherwise. Follows redirects like fetch().
+export type ApiFetchInit = {
   body?: string | undefined
   headers?: Record<string, string> | undefined
   method?: string | undefined
 }
 
-async function apiFetch(url: string, init: ApiFetchInit): Promise<Response> {
-  const agent = getHttpsAgent()
-  if (!agent) {
-    return await fetch(url, init as globalThis.RequestInit)
-  }
-  return await new Promise((resolve, reject) => {
+// Internal httpsRequest-based fetch with redirect support.
+function _httpsRequestFetch(
+  url: string,
+  init: ApiFetchInit,
+  agent: HttpsAgent,
+  redirectCount: number,
+): Promise<Response> {
+  return new Promise((resolve, reject) => {
+    const headers: Record<string, string> = { ...init.headers }
+    // Set Content-Length for request bodies to avoid chunked transfer encoding.
+    if (init.body) {
+      headers['content-length'] = String(Buffer.byteLength(init.body))
+    }
     const req = httpsRequest(
       url,
       {
         method: init.method || 'GET',
-        headers: init.headers,
+        headers,
         agent,
       },
       res => {
+        const { statusCode } = res
+        // Follow redirects to match fetch() behavior.
+        if (
+          statusCode &&
+          statusCode >= 300 &&
+          statusCode < 400 &&
+          res.headers['location']
+        ) {
+          // Consume the response body to free up memory.
+          res.resume()
+          if (redirectCount >= MAX_REDIRECTS) {
+            reject(new Error('Maximum redirect limit reached'))
+            return
+          }
+          const redirectUrl = new URL(res.headers['location'], url).href
+          // 307 and 308 preserve the original method and body.
+          const preserveMethod = statusCode === 307 || statusCode === 308
+          resolve(
+            _httpsRequestFetch(
+              redirectUrl,
+              preserveMethod ? init : { headers: init.headers, method: 'GET' },
+              agent,
+              redirectCount + 1,
+            ),
+          )
+          return
+        }
         const chunks: Buffer[] = []
         res.on('data', (chunk: Buffer) => chunks.push(chunk))
         res.on('end', () => {
@@ -110,7 +145,7 @@ async function apiFetch(url: string, init: ApiFetchInit): Promise<Response> {
           }
           resolve(
             new Response(body, {
-              status: res.statusCode ?? 0,
+              status: statusCode ?? 0,
               statusText: res.statusMessage ?? '',
               headers: responseHeaders,
             }),
@@ -127,6 +162,17 @@ async function apiFetch(url: string, init: ApiFetchInit): Promise<Response> {
   })
 }
 
+export async function apiFetch(
+  url: string,
+  init: ApiFetchInit = {},
+): Promise<Response> {
+  const agent = getHttpsAgent()
+  if (!agent) {
+    return await fetch(url, init as globalThis.RequestInit)
+  }
+  return await _httpsRequestFetch(url, init, agent, 0)
+}
+
 export type CommandRequirements = {
   permissions?: string[] | undefined
   quota?: number | undefined
diff --git a/src/utils/api.test.mts b/src/utils/api.test.mts
@@ -337,4 +337,115 @@ describe('apiFetch with extra CA certificates', () => {
 
     expect(result.ok).toBe(true)
   })
+
+  it('should set Content-Length header for POST requests through https.request', async () => {
+    const caCerts = ['ROOT_CERT', 'EXTRA_CERT']
+    mockGetExtraCaCerts.mockReturnValue(caCerts)
+
+    const mockReq = {
+      end: vi.fn(),
+      on: vi.fn(),
+      write: vi.fn(),
+    }
+
+    mockHttpsRequest.mockImplementation(
+      (_url: string, _opts: unknown, callback: RequestCallback) => {
+        setTimeout(() => {
+          const mockRes = {
+            headers: { 'content-type': 'application/json' },
+            on: vi.fn(),
+            statusCode: 200,
+            statusMessage: 'OK',
+          }
+          const handlers: Record<string, Function> = {}
+          mockRes.on.mockImplementation((event: string, handler: Function) => {
+            handlers[event] = handler
+            return mockRes
+          })
+          callback(mockRes)
+          handlers['data']?.(Buffer.from('{"result":"ok"}'))
+          handlers['end']?.()
+        }, 0)
+        return mockReq
+      },
+    )
+
+    const { sendApiRequest } = await import('./api.mts')
+    await sendApiRequest('test/path', {
+      body: { key: 'value' },
+      method: 'POST',
+    })
+
+    // Verify Content-Length header was set in the request options.
+    const callArgs = mockHttpsRequest.mock.calls[0]
+    const requestHeaders = callArgs[1].headers
+    expect(requestHeaders['content-length']).toBe(
+      String(Buffer.byteLength('{"key":"value"}')),
+    )
+  })
+
+  it('should follow redirects in https.request path', async () => {
+    const caCerts = ['ROOT_CERT', 'EXTRA_CERT']
+    mockGetExtraCaCerts.mockReturnValue(caCerts)
+
+    const mockReq = {
+      end: vi.fn(),
+      on: vi.fn(),
+      write: vi.fn(),
+    }
+
+    // First call: return a 302 redirect.
+    mockHttpsRequest.mockImplementationOnce(
+      (_url: string, _opts: unknown, callback: RequestCallback) => {
+        setTimeout(() => {
+          const mockRes = {
+            headers: { location: 'https://api.socket.dev/v0/redirected' },
+            on: vi.fn(),
+            resume: vi.fn(),
+            statusCode: 302,
+            statusMessage: 'Found',
+          }
+          callback(mockRes as any)
+        }, 0)
+        return mockReq
+      },
+    )
+
+    // Second call: return the actual response.
+    mockHttpsRequest.mockImplementationOnce(
+      (_url: string, _opts: unknown, callback: RequestCallback) => {
+        setTimeout(() => {
+          const mockRes = {
+            headers: { 'content-type': 'text/plain' },
+            on: vi.fn(),
+            statusCode: 200,
+            statusMessage: 'OK',
+          }
+          const handlers: Record<string, Function> = {}
+          mockRes.on.mockImplementation((event: string, handler: Function) => {
+            handlers[event] = handler
+            return mockRes
+          })
+          callback(mockRes)
+          handlers['data']?.(Buffer.from('redirected response'))
+          handlers['end']?.()
+        }, 0)
+        return mockReq
+      },
+    )
+
+    const { queryApiSafeText } = await import('./api.mts')
+    const result = await queryApiSafeText('test/path', 'test request')
+
+    // Should have made two https requests: original and redirect.
+    expect(mockHttpsRequest).toHaveBeenCalledTimes(2)
+    // Second call should be to the redirected URL.
+    expect(mockHttpsRequest.mock.calls[1][0]).toBe(
+      'https://api.socket.dev/v0/redirected',
+    )
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.data).toBe('redirected response')
+    }
+  })
 })
diff --git a/src/utils/dlx-binary.mts b/src/utils/dlx-binary.mts
@@ -31,6 +31,7 @@ import { readJson } from '@socketsecurity/registry/lib/fs'
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import constants from '../constants.mts'
+import { apiFetch } from './api.mts'
 import { InputError } from './errors.mts'
 
 import type {
@@ -117,7 +118,7 @@ async function downloadBinary(
   destPath: string,
   checksum?: string,
 ): Promise<string> {
-  const response = await fetch(url)
+  const response = await apiFetch(url)
   if (!response.ok) {
     throw new InputError(
       `Failed to download binary: ${response.status} ${response.statusText}`,
diff --git a/src/utils/sdk.mts b/src/utils/sdk.mts
@@ -31,6 +31,7 @@ import { rootCertificates } from 'node:tls'
 import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent'
 
 import isInteractive from '@socketregistry/is-interactive/index.cjs'
+import { debugFn } from '@socketsecurity/registry/lib/debug'
 import { logger } from '@socketsecurity/registry/lib/logger'
 import { password } from '@socketsecurity/registry/lib/prompts'
 import { isNonEmptyString } from '@socketsecurity/registry/lib/strings'
@@ -98,7 +99,8 @@ export function getExtraCaCerts(): string[] | undefined {
     // in an agent replaces the default trust store, so both must be included.
     _extraCaCerts = [...rootCertificates, extraCerts]
     return _extraCaCerts
-  } catch {
+  } catch (e) {
+    debugFn('warn', `Failed to read certificate file: ${certPath}`, e)
     return undefined
   }
 }
diff --git a/src/utils/sdk.test.mts b/src/utils/sdk.test.mts
@@ -77,6 +77,12 @@ vi.mock('./debug.mts', () => ({
   debugApiResponse: mockDebugApiResponse,
 }))
 
+// Mock registry debug functions used by getExtraCaCerts.
+vi.mock('@socketsecurity/registry/lib/debug', () => ({
+  debugDir: vi.fn(),
+  debugFn: vi.fn(),
+}))
+
 // Mock config.
 const mockGetConfigValueOrUndef = vi.hoisted(() => vi.fn(() => undefined))
 vi.mock('./config.mts', () => ({
