Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIX: [CodeQL: SM02184] Server certificate validation disabled in VssUtil.cs #5068

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

MantavyaDh
Copy link
Contributor

Context

The agent SDK logs the SSL diagnostic data into the trace, if there is Support of Custom Server Certificate Validation.
To check whether the current platform and configuration supports custom server certificate validation, the CheckSupportOfCustomServerCertificateValidation method is used in the VssUtil.cs file, which implements a certificate validation callback function which performs a SSL handshake with a test uri namely microsoft.com and is set to always returns true.

Change Description

The custom server certificate validator function now checks for any SSL errors.

Validation

  • Ran a job on the updated agent and checked if there were any SSL errors.
  • Ran the unit and functional tests.

@MantavyaDh MantavyaDh added the bug label Dec 19, 2024
@MantavyaDh MantavyaDh requested review from a team as code owners December 19, 2024 07:48
martin-toman
martin-toman previously approved these changes Dec 19, 2024
@martin-toman
Copy link
Contributor

LGTM, but please verify that this is not a breaking change for customers who use self-signed certificates.

@martin-toman
Copy link
Contributor

Looking at the code, this may result in a degradation of error logging

@martin-toman martin-toman self-requested a review December 19, 2024 09:49
@martin-toman martin-toman dismissed their stale review December 19, 2024 09:50

need to investigate further

@@ -167,7 +168,7 @@ private static bool CheckSupportOfCustomServerCertificateValidation(ITraceWriter
{
using (var handler = new HttpClientHandler())
{
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return errors == SslPolicyErrors.None; };
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this is equivalent to not handling the event at all. I agree with the concerns about the impact on self-signed certificates with this change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be good to add a clarifying comment specifically that we set ServerCertificateCustomValidationCallback only to check to see if GetAsync throws an exception when ServerCertificateCustomValidationCallback - the body of the handler doesn't matter.

not blocking

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the comment that this function is just used to check if custom server validation is supported, i.e. to check if GetAsync throws an exception or not.

Copy link
Contributor

@merlynomsft merlynomsft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting this to "request changed" for discussion

@martin-toman martin-toman removed their request for review December 20, 2024 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants