fix: support SSL_CERT_FILE for TLS certificate configuration#1124
Merged
fix: support SSL_CERT_FILE for TLS certificate configuration#1124
Conversation
Node.js only reads NODE_EXTRA_CA_CERTS at process startup, so setting SSL_CERT_FILE (which the CLI maps to NODE_EXTRA_CA_CERTS internally) had no effect on the parent process's TLS connections. This caused "unable to get local issuer certificate" errors for users behind corporate proxies with SSL inspection (e.g. Cloudflare). The fix manually reads the certificate file and passes the combined CA certificates (root + extra) to HTTPS agents: - SDK calls: HttpsAgent or HttpsProxyAgent with ca option - Direct fetch calls: falls back to node:https.request with custom agent - Child processes (Coana CLI): already worked via constants.processEnv
… broader coverage - Set Content-Length header for POST bodies in httpsRequest path to avoid chunked transfer encoding divergence from fetch() - Follow 3xx redirects in httpsRequest path to match fetch() behavior - Route all fetch calls through apiFetch (GitHub API, npm registry) - Add debug logging when certificate file read fails
The _httpsRequestFetch redirect handler forwarded all headers (including Authorization, Cookie, Proxy-Authorization) to redirect targets regardless of origin. Per the Fetch spec, these sensitive headers must be stripped on cross-origin redirects to prevent credential leaks. This is especially relevant for GitHub API calls that may redirect to CDN hosts for file downloads.
jdalton
approved these changes
Mar 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SSL_CERT_FILEnow works for the parent socket-cli process, not just spawned child processesNODE_EXTRA_CA_CERTSwasn't set at Node.js startupProblem
Node.js reads
NODE_EXTRA_CA_CERTSonly at process startup (in C++, before any JS runs). The CLI mappedSSL_CERT_FILE→constants.ENV.NODE_EXTRA_CA_CERTSinternally, but never propagated it to the TLS stack of the running process. This meant:NODE_EXTRA_CA_CERTSSSL_CERT_FILEonlyconstants.processEnv)Solution
sdk.mts— NewgetExtraCaCerts()function that:undefinedwhenNODE_EXTRA_CA_CERTSis already set (Node.js handles it)SSL_CERT_FILEand combines withtls.rootCertificatescatoHttpsAgent(no proxy) orHttpsProxyAgent(with proxy, includingproxyConnectOptions)api.mts— NewapiFetch()wrapper that:node:https.requestwith a custom agent when extra CA certs are neededfetch()when no extra certs are needed (zero overhead for normal users)Responseobject from thehttps.requestoutputContent-Lengthheader for request bodies to avoid chunked transfer encoding divergence fromfetch()fetch()behavior (301/302/303 → GET; 307/308 preserve method/body; max 20 redirects)Authorization,Cookie, andProxy-Authorizationheaders on cross-origin redirects per the Fetch speccreate-scan-from-github.mts— All 5 GitHub APIfetch()calls now route throughapiFetch(), so SSL_CERT_FILE also works for GitHub scan operations.dlx-binary.mts— The npm registryfetch()call now routes throughapiFetch(), so SSL_CERT_FILE also works for binary downloads.Test plan
pnpm checkpasses (lint + typecheck)pnpm test:unit src/utils/sdk.test.mts src/utils/api.test.mtspasses (35 tests)SSL_CERT_FILE=/path/to/cert.pem socket scan create --reach .behind a corporate proxyNODE_EXTRA_CA_CERTS=/path/to/cert.pem socket scan create --reach .(should still work)Note
Medium Risk
Introduces a new
apiFetchimplementation that reimplements parts offetch()(HTTPS request handling + redirects + header stripping) and changes multiple network call sites to use it, so subtle HTTP/TLS behavior differences could affect downloads or API calls in edge cases.Overview
Enables
SSL_CERT_FILEto affect the running CLI process, not just spawned child processes, by addinggetExtraCaCerts()insdk.mtsand wiring the resulting CA bundle intoHttpsAgent/proxy agents duringsetupSdk.Adds an
apiFetch()wrapper inapi.mtsthat conditionally usesnode:https.requestwith a cached custom agent (including redirect following and sensitive-header stripping on cross-origin redirects), and updates directfetch()usage toapiFetch()for Socket API calls, GitHub scan operations (create-scan-from-github.mts), and binary downloads (dlx-binary.mts).Adds unit test coverage for the new CA-loading and
apiFetchbehaviors (sdk.test.mts, newapi.test.mts).Written by Cursor Bugbot for commit e92cf75. Configure here.