fix(offload): enable TLS verification by default; add env opt-out + CA path#42
Open
YOMXXX wants to merge 1 commit into
Open
fix(offload): enable TLS verification by default; add env opt-out + CA path#42YOMXXX wants to merge 1 commit into
YOMXXX wants to merge 1 commit into
Conversation
…A path
The offload backend client (src/offload/backend-client.ts) unconditionally
set rejectUnauthorized: false on every HTTPS request, fully bypassing TLS
certificate validation. Any MITM on the network path between the daemon and
the configured https://... offload backend could read or tamper with:
- L1/L1.5/L2/L4 tool-call summaries and full task history
- the Authorization: Bearer <apiKey> header
- the X-User-Id / X-Task-Id identity headers
Backend responses (L1 summaries, L2 task graphs, L4 skills) are written to
the user's data directory, so a tampered response is a memory-poisoning
vector too.
This change reverts the default to "secure" (full chain validation against
the system trust store) and exposes two opt-ins via environment variables,
both resolved once at BackendClient construction:
- TDAI_OFFLOAD_INSECURE_TLS=1
Disable rejectUnauthorized. A loud warning is logged so the operator
cannot accidentally ship this to production. Intended only for local
development against a self-signed backend.
- TDAI_OFFLOAD_CA_PEM_PATH=<path-to-ca.pem>
Load a custom CA certificate so a self-signed backend can be trusted
*without* disabling validation. Mirrors the caPemPath option on
src/core/store/tcvdb-client.ts (which already gets this right).
A missing or unreadable CA file degrades gracefully to the system trust
store with a warning, so a misconfigured path cannot brick a running daemon.
Closes Tencent#8.
Tests: new src/offload/__tests__/backend-client-tls.test.ts — 7 cases
covering the secure default, INSECURE_TLS opt-in + warning, CA load
success / failure paths, both-set composition, and construction-time
resolution (subsequent env mutation does not retroactively affect the
existing instance).
Signed-off-by: 李冠辰 <liguanchen@xiaomi.com>
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary | 摘要
Fix CWE-295 (Improper Certificate Validation) in the offload backend client. Closes #8.
修复 #8 报告的 offload backend client TLS 校验绕过(CWE-295)。
Background | 背景
src/offload/backend-client.ts之前在每次 HTTPS 请求中无条件传入rejectUnauthorized: false:任何在网络路径上的 MITM 都能:
Authorization: Bearer <apiKey>头X-User-Id/X-Task-Id身份头src/core/store/tcvdb-client.ts已经做对了(用caPemPath加载自签 CA)—— backend-client 的rejectUnauthorized: false是历史遗留 oversight。Fix | 修复
将默认值回到 secure(用系统 trust store 做完整链校验),通过两个环境变量提供 opt-in:
TDAI_OFFLOAD_INSECURE_TLS=1rejectUnauthorized。构造时打 loud warn,确保运维不会无意中带到生产。仅用于本地开发对接自签 backend。TDAI_OFFLOAD_CA_PEM_PATH=<path>tcvdb-client.ts的caPemPath一致。两个值都在
BackendClientconstructor 内解析一次并缓存到this.tlsOptions,请求 hot path 不再读 env,daemon 生命周期内的 TLS 立场稳定可审计。CA 文件不存在 / 读不了时退回系统 trust store + warn,不会 让 daemon 启动失败。
Tests | 测试
新建
src/offload/__tests__/backend-client-tls.test.ts(7 cases):TDAI_OFFLOAD_INSECURE_TLS=1→rejectUnauthorized: false+ warnTDAI_OFFLOAD_INSECURE_TLS非"1"字面值("true"/"yes"/"0"/空/带空格)→ 忽略,保持 secureTDAI_OFFLOAD_CA_PEM_PATH=<readable>→ 加载 CA 字节到tlsOptions.ca,info 日志,不关校验TDAI_OFFLOAD_CA_PEM_PATH=<不存在>→ warn + 退回系统 trust store,构造不抛Out of scope | 范围外
tcvdb-client.ts的 TLS 处理风格统一(迁移到 undici Agent)—— 当前 backend-client 用原生https模块,重写 transport 风险大,保留原 transport 仅在 options 上加 TLS 字段BackendClientconstructor 参数 —— constructor 签名是 positional,加参数破坏 backward compat,env 路径更稳DCO
Commit
de35946带Signed-off-by: 李冠辰 <liguanchen@xiaomi.com>。