Open rmoriz opened 6 years ago
Currently all https/TLS requests are vulnerable to MITM.
See:
https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L311-L314
https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L270-L274
Suggestion: Change default to verify, allow users who are unable to fix their trust root to set an option to disable verification.
exec_cli is hard-coded to http:
exec_cli
http
https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L617-L619
update center request is not made over https, too.
https
https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L490-L493
see #204
rmoriz
commented
6 years ago rmoriz
commented
6 years ago
Currently all https/TLS requests are vulnerable to MITM.
See:
https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L311-L314
https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L270-L274
Suggestion: Change default to verify, allow users who are unable to fix their trust root to set an option to disable verification.
exec_cliis hard-coded tohttp:https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L617-L619
update center request is not made over
https, too.https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L490-L493