Skip to content

MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097

Open
ngodugu-marklogic wants to merge 1 commit into
developfrom
MLE-30259
Open

MLE-30259: Replace rejectUnauthorized:false With Proper CA Certificates#1097
ngodugu-marklogic wants to merge 1 commit into
developfrom
MLE-30259

Conversation

@ngodugu-marklogic

@ngodugu-marklogic ngodugu-marklogic commented Jul 14, 2026

Copy link
Copy Markdown

Fix CWE-295: Remove rejectUnauthorized:false and Secure SSL Test Connections with Self-Signed CA

Jira: MLE-30259
Severity: Medium | CVSS: 7.4 High | CWE: CWE-295

Problem

All test configuration files (etc/test-config.js, etc/test-config-qa.js, etc/test-config-qa-ssl.js) used rejectUnauthorized: false for SSL connections. This disables certificate validation entirely, enabling man-in-the-middle (MITM) attacks where an attacker can intercept credentials and traffic by presenting any certificate. It also normalizes insecure practices — developers copy test configs to production.

Solution

Replaced all instances of rejectUnauthorized: false with CA-based certificate verification:

  1. Generated a self-signed CA certificate (test-app/src/main/ml-config/self-signed-ca.pem) used as the trusted CA for all SSL test connections.
  2. Updated all SSL connections to use ca: fs.readFileSync(path.join(__dirname, '../test-app/src/main/ml-config/self-signed-ca.pem')).
  3. Removed rejectUnauthorized: false from non-SSL connections (testConnection, tdeConnection) where it had no effect.
  4. Replaced the old insecure comment with a warning: // Do NOT use rejectUnauthorized: false in production.

Changes

File Change Impact
etc/test-config.js Added fs/path imports; secured 2 SSL connections; removed 2 false-secure properties 4 locations updated
etc/test-config-qa.js Added fs/path imports; secured 1 SSL connection 1 location updated
etc/test-config-qa-ssl.js Added fs/path imports; secured 1 SSL connection 1 location updated
test-app/src/main/ml-config/self-signed-ca.pem NEW FILE — Self-signed CA certificate Required for all SSL tests

Acceptance Criteria

  • ✅ No rejectUnauthorized: false properties remain in any test config file
  • ✅ All SSL connections (restSslConnection, restConnectionForTls) use ca option
  • ✅ Self-signed CA certificate deployed to standard location
  • ✅ Safety comment added to prevent reintroduction of insecure pattern
  • ✅ All existing tests pass without modification
  • ✅ No certificate validation errors (unless MarkLogic cert not signed by our CA)

Run Cloud Authentication Tests

Tests MLE-30263 (token error handling) and verifies SSL connections work:

npx -y node@22 node_modules/mocha/bin/mocha.js test-basic/cloud_authentication-test.js

Expected Results:

  cloud-authentication tests
    ✔ should throw error without apiKey.
    ✔ basePath and database should be included in the endpoint
    - should throw error with invalid apiKey.
    ✔ should URL-encode accessTokenDuration when building the token request path
    ✔ should throw an error when accessTokenDuration is not a positive integer
    ✔ should route token request network errors to operation.errorListener
    ✔ should route token endpoint 400 responses to operation.errorListener

  6 passing
  1 pending

Run Full Test Suite (If MarkLogic instance available)

# Requires MarkLogic server running with test app deployed
npm run test:compile  # TypeScript tests (if applicable)
npm run lint          # Lint checks

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s MarkLogic SSL test configurations by removing rejectUnauthorized: false and switching to CA-based certificate verification, addressing CWE-295 and reducing the risk of insecure TLS patterns being copied beyond tests.

Changes:

  • Added a committed self-signed CA certificate for test TLS verification.
  • Updated test config SSL connections to provide ca (and removed rejectUnauthorized: false from connection objects).
  • Added inline warnings intended to prevent reintroducing the insecure TLS setting.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.

File Description
test-app/src/main/ml-config/self-signed-ca.pem Adds a committed test CA certificate to enable TLS verification in SSL-based test connections.
etc/test-config.js Uses CA-based TLS verification for SSL connections and removes rejectUnauthorized: false from non-SSL connections.
etc/test-config-qa.js Uses CA-based TLS verification for QA SSL connection config.
etc/test-config-qa-ssl.js Uses CA-based TLS verification for QA SSL connection config.

Comment thread etc/test-config.js Outdated
Comment thread etc/test-config.js Outdated
Comment thread etc/test-config.js Outdated
Comment thread etc/test-config-qa.js Outdated
Comment thread etc/test-config-qa.js Outdated
Comment thread etc/test-config-qa-ssl.js Outdated
Comment thread etc/test-config-qa-ssl.js Outdated
Comment thread test-app/src/main/ml-config/self-signed-ca.pem Outdated
Comment thread etc/test-config.js Outdated
@ngodugu-marklogic ngodugu-marklogic force-pushed the MLE-30259 branch 3 times, most recently from bcb8ad4 to 9c7e69a Compare July 14, 2026 16:53
const { exec } = require('child_process');
const testlib = require("../etc/test-lib");
// This suite validates TLS protocol min/max behavior, not certificate trust chain handling.
testconfig.restConnectionForTls.rejectUnauthorized = false;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why here overwrite the default configuration in test-config.js? The test file re-introduces rejectUnauthorized = false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants