FIX: [CodeQL: SM02184] Server certificate validation disabled in VssUtil.cs #5068
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
martin-toman
previously approved these changes
Dec 19, 2024
|
LGTM, but please verify that this is not a breaking change for customers who use self-signed certificates. |
|
Looking at the code, this may result in a degradation of error logging |
DergachevE
approved these changes
Dec 19, 2024
tarunramsinghani
approved these changes
Dec 19, 2024
merlynomsft
reviewed
Dec 20, 2024
| @@ -167,7 +168,7 @@ private static bool CheckSupportOfCustomServerCertificateValidation(ITraceWriter | |||
| { | |||
| using (var handler = new HttpClientHandler()) | |||
| { | |||
| handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; }; | |||
| handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return errors == SslPolicyErrors.None; }; | |||
There was a problem hiding this comment.
I suspect this is equivalent to not handling the event at all. I agree with the concerns about the impact on self-signed certificates with this change.
There was a problem hiding this comment.
It may be good to add a clarifying comment specifically that we set ServerCertificateCustomValidationCallback only to check to see if GetAsync throws an exception when ServerCertificateCustomValidationCallback - the body of the handler doesn't matter.
not blocking
merlynomsft
requested changes
Dec 20, 2024
tarunramsinghani
approved these changes
Dec 24, 2024
merlynomsft
approved these changes
Dec 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
The agent SDK logs the SSL diagnostic data into the trace, if there is Support of Custom Server Certificate Validation.
To check whether the current platform and configuration supports custom server certificate validation, the
CheckSupportOfCustomServerCertificateValidationmethod is used in theVssUtil.csfile, which implements a certificate validation callback function which performs a SSL handshake with a test uri namely microsoft.com and is set to always returnstrue.Change Description
The custom server certificate validator function now checks for any SSL errors.
Validation