fix: Fix broken ureq TLS configuration

This commit fixes broken ureq TLS configuration. It turns out when you tell ureq to use native TLS certificate stores, it doesn't set those up in the request agent automatically the way it does for the default TLS configuration. Rather, it requires you to add the `native_tls` dependency and set them up yourself. This commit does that. Signed-off-by: Andrew Lilley Brinker <[email protected]>
mitre · May 7, 2024 · adb66b8 · adb66b8
1 parent 13b27d5
commit adb66b8
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 26 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,3 @@
-# Necessary for 'cargo outdated'
-cargo-features = ["resolver"]
-
 [workspace]
 # Use the newer, better feature resolver.
 resolver = "2"

diff --git a/hipcheck/Cargo.toml b/hipcheck/Cargo.toml
@@ -56,12 +56,13 @@ ureq = { version = "2.9.7", default-features = false, features = [
     "native-tls",
 ] }
 url = "2.2.2"
-walkdir = "2"
+walkdir = "2.5.0"
 which = { version = "6.0.1", default-features = false }
-xml-rs = "0.8"
+xml-rs = "0.8.20"
+native-tls = "0.2.11"
 
 [target.'cfg(windows)'.dependencies.winapi]
-version = "0.3"
+version = "0.3.9"
 features = ["handleapi", "processenv", "winbase", "wincon", "winnt"]
 
 [build-dependencies]

diff --git a/hipcheck/src/analysis/session/pm.rs b/hipcheck/src/analysis/session/pm.rs
@@ -11,11 +11,11 @@ use serde_json::Value;
 use std::cmp::max;
 use std::cmp::Ordering;
 use std::process::exit;
+use std::sync::Arc;
 use url::Host;
 use url::Url;
 use xml::reader::EventReader;
 use xml::reader::XmlEvent;
-//This entire module was largely copied from https://gitlab.mitre.org/software-assurance/repofinder
 
 const MAVEN: &str = CheckKind::Maven.name();
 const NPM: &str = CheckKind::Npm.name();
@@ -364,7 +364,10 @@ fn extract_repo_for_npm(raw_package: &str) -> Result<Url> {
 	};
 
 	// Make an HTTP request to that URL.
-	let response = ureq::get(&registry)
+	let response = ureq::AgentBuilder::new()
+	    .tls_connector(Arc::new(native_tls::TlsConnector::new()?))
+	    .build()
+		.get(&registry)
 		.call()
 		.context("request to npm API failed, make sure the package name is correct as well as the project version")?;
 
@@ -412,7 +415,10 @@ fn extract_repo_for_pypi(raw_package: &str) -> Result<Url> {
 	};
 
 	// Make an HTTP request to that URL.
-	let response = ureq::get(&registry)
+	let response = ureq::AgentBuilder::new()
+	    .tls_connector(Arc::new(native_tls::TlsConnector::new()?))
+	    .build()
+		.get(&registry)
 		.call()
 		.context("request to PYPI API failed, make sure the project name is correct (case matters) as well as the project version")?;
 
@@ -444,7 +450,10 @@ fn extract_repo_for_pypi(raw_package: &str) -> Result<Url> {
 fn extract_repo_for_maven(url: &str) -> Result<Url> {
 	// Make an HTTP request to that URL to get the POM file.
 
-	let response = ureq::get(url)
+	let response = ureq::AgentBuilder::new()
+		.tls_connector(Arc::new(native_tls::TlsConnector::new()?))
+		.build()
+		.get(url)
 		.call()
 		.context("request to Maven API failed")?;
 

diff --git a/hipcheck/src/data.rs b/hipcheck/src/data.rs
@@ -79,7 +79,7 @@ pub struct Fuzz {
 }
 
 pub fn get_fuzz_check(token: &str, repo_uri: Rc<String>) -> Result<Fuzz> {
-	let github = GitHub::new("google", "oss-fuzz", token);
+	let github = GitHub::new("google", "oss-fuzz", token)?;
 
 	let github_result = github
 		.fuzz_check(repo_uri)
@@ -113,7 +113,7 @@ pub fn get_pull_request_reviews_from_github(
 	repo: &str,
 	token: &str,
 ) -> Result<Vec<PullRequest>> {
-	let github = GitHub::new(owner, repo, token);
+	let github = GitHub::new(owner, repo, token)?;
 
 	let results = github
 		.get_reviews_for_pr()
@@ -134,7 +134,7 @@ pub fn get_single_pull_request_review_from_github(
 	pull_request: &u64,
 	token: &str,
 ) -> Result<SinglePullRequest> {
-	let github_pr = GitHubPr::new(owner, repo, pull_request, token);
+	let github_pr = GitHubPr::new(owner, repo, pull_request, token)?;
 
 	let github_result = github_pr
 		.get_review_for_single_pr()

diff --git a/hipcheck/src/data/github/authenticated_agent.rs b/hipcheck/src/data/github/authenticated_agent.rs
@@ -1,7 +1,12 @@
 //! Defines an authenticated [`Agent`] type that adds token auth to all requests.
 
+use std::sync::Arc;
+
 use crate::data::github::hidden::Hidden;
+use crate::error::Result;
+use native_tls::TlsConnector;
 use ureq::Agent;
+use ureq::AgentBuilder;
 use ureq::Request;
 
 /// An [`Agent`] which authenticates requests with token auth.
@@ -18,11 +23,14 @@ pub struct AuthenticatedAgent<'token> {
 
 impl<'token> AuthenticatedAgent<'token> {
 	/// Construct a new authenticated agent.
-	pub fn new(token: &'token str) -> AuthenticatedAgent<'token> {
-		AuthenticatedAgent {
-			agent: Agent::new(),
-			token: Hidden::new(token),
-		}
+	pub fn new(token: &'token str) -> Result<AuthenticatedAgent<'token>> {
+		let agent = AgentBuilder::new()
+			.tls_connector(Arc::new(TlsConnector::new()?))
+			.build();
+
+		let token = Hidden::new(token);
+
+		Ok(AuthenticatedAgent { agent, token })
 	}
 
 	/// Make an authenticated GET request.

diff --git a/hipcheck/src/data/github/mod.rs b/hipcheck/src/data/github/mod.rs
@@ -24,12 +24,12 @@ pub struct GitHub<'a> {
 }
 
 impl<'a> GitHub<'a> {
-	pub fn new(owner: &'a str, repo: &'a str, token: &'a str) -> GitHub<'a> {
-		GitHub {
+	pub fn new(owner: &'a str, repo: &'a str, token: &'a str) -> Result<GitHub<'a>> {
+		Ok(GitHub {
 			owner,
 			repo,
-			agent: AuthenticatedAgent::new(token),
-		}
+			agent: AuthenticatedAgent::new(token)?,
+		})
 	}
 
 	pub fn fuzz_check(&self, repo_uri: Rc<String>) -> Result<bool> {
@@ -54,13 +54,13 @@ impl<'a> GitHubPr<'a> {
 		repo: &'a str,
 		pull_request: &'a u64,
 		token: &'a str,
-	) -> GitHubPr<'a> {
-		GitHubPr {
+	) -> Result<GitHubPr<'a>> {
+		Ok(GitHubPr {
 			owner,
 			repo,
 			pull_request,
-			agent: AuthenticatedAgent::new(token),
-		}
+			agent: AuthenticatedAgent::new(token)?,
+		})
 	}
 
 	pub fn get_review_for_single_pr(&self) -> Result<GitHubFullPullRequest> {