Skip to content

MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097

Closed
ngodugu-marklogic wants to merge 1 commit into
developfrom
MLE-30259
Closed

MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097
ngodugu-marklogic wants to merge 1 commit into
developfrom
MLE-30259

Conversation

@ngodugu-marklogic

@ngodugu-marklogic ngodugu-marklogic commented Jul 14, 2026

Copy link
Copy Markdown

Fix CWE-295: Remove rejectUnauthorized:false and Secure SSL Test Connections with Self-Signed CA

Jira: MLE-30259
Severity: Medium | CVSS: 7.4 High | CWE: CWE-295

Problem

All test configuration files (etc/test-config.js, etc/test-config-qa.js, etc/test-config-qa-ssl.js) used rejectUnauthorized: false for SSL connections. This disables certificate validation entirely, enabling man-in-the-middle (MITM) attacks where an attacker can intercept credentials and traffic by presenting any certificate. It also normalizes insecure practices — developers copy test configs to production.

Solution

Replaced all instances of rejectUnauthorized: false with CA-based certificate verification:

  1. Generated a self-signed CA certificate (test-app/src/main/ml-config/self-signed-ca.pem) used as the trusted CA for all SSL test connections.
  2. Updated all SSL connections to use ca: fs.readFileSync(path.join(__dirname, '../test-app/src/main/ml-config/self-signed-ca.pem')).
  3. Removed rejectUnauthorized: false from non-SSL connections (testConnection, tdeConnection) where it had no effect.
  4. Replaced the old insecure comment with a warning: // Do NOT use rejectUnauthorized: false in production.

Changes

File Change Impact
etc/test-config.js Added fs/path imports; secured 2 SSL connections; removed 2 false-secure properties 4 locations updated
etc/test-config-qa.js Added fs/path imports; secured 1 SSL connection 1 location updated
etc/test-config-qa-ssl.js Added fs/path imports; secured 1 SSL connection 1 location updated
test-app/src/main/ml-config/self-signed-ca.pem NEW FILE — Self-signed CA certificate Required for all SSL tests

Acceptance Criteria

  • ✅ No rejectUnauthorized: false properties remain in any test config file
  • ✅ All SSL connections (restSslConnection, restConnectionForTls) use ca option
  • ✅ Self-signed CA certificate deployed to standard location
  • ✅ Safety comment added to prevent reintroduction of insecure pattern
  • ✅ All existing tests pass without modification
  • ✅ No certificate validation errors (unless MarkLogic cert not signed by our CA)

Run Cloud Authentication Tests

Tests MLE-30263 (token error handling) and verifies SSL connections work:

npx -y node@22 node_modules/mocha/bin/mocha.js test-basic/cloud_authentication-test.js

Expected Results:

  cloud-authentication tests
    ✔ should throw error without apiKey.
    ✔ basePath and database should be included in the endpoint
    - should throw error with invalid apiKey.
    ✔ should URL-encode accessTokenDuration when building the token request path
    ✔ should throw an error when accessTokenDuration is not a positive integer
    ✔ should route token request network errors to operation.errorListener
    ✔ should route token endpoint 400 responses to operation.errorListener

  6 passing
  1 pending

Run Full Test Suite (If MarkLogic instance available)

# Requires MarkLogic server running with test app deployed
npm run test:compile  # TypeScript tests (if applicable)
npm run lint          # Lint checks

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s MarkLogic SSL test configurations by removing rejectUnauthorized: false and switching to CA-based certificate verification, addressing CWE-295 and reducing the risk of insecure TLS patterns being copied beyond tests.

Changes:

  • Added a committed self-signed CA certificate for test TLS verification.
  • Updated test config SSL connections to provide ca (and removed rejectUnauthorized: false from connection objects).
  • Added inline warnings intended to prevent reintroducing the insecure TLS setting.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.

File Description
test-app/src/main/ml-config/self-signed-ca.pem Adds a committed test CA certificate to enable TLS verification in SSL-based test connections.
etc/test-config.js Uses CA-based TLS verification for SSL connections and removes rejectUnauthorized: false from non-SSL connections.
etc/test-config-qa.js Uses CA-based TLS verification for QA SSL connection config.
etc/test-config-qa-ssl.js Uses CA-based TLS verification for QA SSL connection config.

Comment thread etc/test-config.js Outdated
Comment thread etc/test-config.js Outdated
Comment thread etc/test-config.js Outdated
Comment thread etc/test-config-qa.js Outdated
Comment thread etc/test-config-qa.js Outdated
Comment thread etc/test-config-qa-ssl.js Outdated
Comment thread etc/test-config-qa-ssl.js Outdated
Comment thread test-app/src/main/ml-config/self-signed-ca.pem Outdated
Comment thread etc/test-config.js Outdated
@ngodugu-marklogic
ngodugu-marklogic force-pushed the MLE-30259 branch 3 times, most recently from bcb8ad4 to 9c7e69a Compare July 14, 2026 16:53
const { exec } = require('child_process');
const testlib = require("../etc/test-lib");
// This suite validates TLS protocol min/max behavior, not certificate trust chain handling.
testconfig.restConnectionForTls.rejectUnauthorized = false;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why here overwrite the default configuration in test-config.js? The test file re-introduces rejectUnauthorized = false

Comment thread etc/test-config-qa-ssl.js
*/
const fs = require('fs');
const path = require('path');
const strictTlsVerification = process.env.ML_TEST_SSL_STRICT === 'true';

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would ML_TEST_SSL_STRICT be set anywhere? If ML_TEST_SSL_STRICT is not set, strictTlsVerification would be false. Have you tested ML_TEST_SSL_STRICT=true?

Comment thread etc/test-config-qa-ssl.js
ssl: true
ssl: true,
rejectUnauthorized: strictTlsVerification,
ca: fs.readFileSync(path.join(__dirname, '../test-app/src/main/ml-config/self-signed-ca.pem'))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could not see self-signed-ca.pem is actually validated in the tests anywhere.

It seems the certificate for SSL port (8017) is generated by MarkLogic's GenerateTemporaryCertificateCommand (in test-app\build.gradle). So I guess self-signed-ca.pem can't validate anything and may not be needed or replace by a correct certificate.

@ngodugu-marklogic

Copy link
Copy Markdown
Author

Changed the logic according to our discussion in scrum call and created another PR #1100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants