Add configuration option to disable automatically trusting all certificates#1
Add configuration option to disable automatically trusting all certificates#1aruh wants to merge 8 commits intolittleGnAl:mainfrom
Conversation
This avoids a crash that occurs when a certificate is added a second time to a SecurityContext. Instead the caller should add the certificates once to a SecurityContext and that single instance is used every time a HttpClient is created.
The default proxy port of 8888 only seems to make sense for Charles - i don't know whether other libraries also use this port as a default. But, as this library allows setting general proxies - not constrained to Charles -, the default port of 8888 assumes that the user of this library is using Charles. This might not be the case at all.
|
The fork was integrated in a project and the configuration options - both Nevertheless it would of course still be wise to test it again during the review of this PR. |
| environment['http_proxy'] = '$host:$port'; | ||
| environment['https_proxy'] = '$host:$port'; | ||
| } else { | ||
| environment['http_proxy'] = '$host:8888'; |
There was a problem hiding this comment.
Good catch, but I'm not sure if it can be set to null or not, or just do nothing
| /// The port part of the proxy address. | ||
| final String? port; | ||
|
|
||
| static Future<HttpProxyOverride> createHttpProxy() async { |
There was a problem hiding this comment.
I think you should mark this function as @deprecated instead remove it directly, to avoid break change at this time
| /// | ||
| /// Supported platforms to read proxy settings from are **iOS** and | ||
| /// **Android**. | ||
| static Future<HttpProxyOverride> create( |
There was a problem hiding this comment.
I think since this library aims to use for debugging purposes
- the default value of
ignoreBadCertificatesshould be true, if the user actually need to use it in production, they should set it to false - it's better to make the return type to nullable and return
nullifignoreBadCertificatesis not true, so we do not "override" anything ifignoreBadCertificatesis false
e.g.
static Future<HttpProxyOverride?> create(
{bool ignoreBadCertificates = true,
SecurityContext? securityContext}) async {
if (!ignoreBadCertificates) return null;
return HttpProxyOverride._(
await _getProxyHost(),
await _getProxyPort(),
ignoreBadCertificates,
securityContext ?? SecurityContext.defaultContext);
}
|
|
||
| @override | ||
| HttpClient createHttpClient(SecurityContext? context) { | ||
| if (context == null) { |
There was a problem hiding this comment.
The SecurityContext should be handled when the HttpClient is created, see https://api.dart.dev/stable/2.14.4/dart-io/HttpClient/HttpClient.html, but not set by this library, say that the user should
final context = SecurityContext.defaultContext;
context.setTrustedCertificatesBytes(...);
HttpClient httpClient = HttpClient(context: context);
HttpProxyOverride httpProxyOverride = await HttpProxyOverride.create();but not
HttpClient httpClient = HttpClient();
final context = SecurityContext.defaultContext;
context.setTrustedCertificatesBytes(...);
HttpProxyOverride httpProxyOverride = await HttpProxyOverride.create(securityContext: context);
|
@aruh Thank you so much for your contribution, I have left some comments, btw can you add test cases for this PR? |
2 participants
The problem
This library blindly trusts all server certificates by setting a
⚠️ This allows MITM attacks as it effectively disables certificate checks. This means that this library should never be used in production!
badCertificateCallbackthat always returnstrue. The trust is not constrained to installed user certificates or programmatically configured certificates.I recognize that this library was built to allow usage of debugging proxies like Charles or mitm-proxy. The README doesn't mention this restriction and doesn't inform about the danger of allowing MITM attacks. On the surface, it seems like a library to handle proxy settings in any context - not constrained to usage with debugging proxies.
It was used in production.
Proposition
The library provides the
HttpOverridesthat would also be handy in production to pick up on proxy settings of a device.Therefore it would be nice to adjust this library to allow using it in production.
The proposed adjustments are:
SecurityContextthat can contain added certificates – e.g. self-signed certificates or the certificates of the debugging proxies.For example, this can be relevant in production for some company networks, where a proxy with an company-internal self-signed certificate is used.
I guess that should allow using the library in production.
What does this PR change?
ignoreBadCertificatesoption to allow switching the ignoring of certificate issues on and off.securityContextoption to allow setting an adjustedSecurityContextthat contains trusted certificates. The context is passed to the createdHttpClient.Full disclosure: I'm not an security expert nor a very experienced Flutter/Dart developer. It could very well be the case that there are security issues that would not allow usage in production.
Thank you for your work on
http_proxy_override.