Skip to content

53 create a container depend directly on authentication and do not invoke as cli #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
runleveldev wants to merge 2 commits into from
Closed

53 create a container depend directly on authentication and do not invoke as cli #64

runleveldev wants to merge 2 commits into from

Conversation

@runleveldev
Copy link
Collaborator

@runleveldev runleveldev commented Oct 14, 2025

Closes #53

@runleveldev runleveldev linked an issue Oct 14, 2025 that may be closed by this pull request
create-a-container: Depend directly on Authentication and do not invoke as cli #53
Closed
@runleveldev
Copy link
Collaborator Author

runleveldev commented Oct 14, 2025

Will create merge conflicts with #62 merge that one first.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
create-a-container/server.js
method: 'post',
url: 'https://10.15.0.4:8006/api2/json/access/ticket',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
httpsAgent: new https.Agent({ rejectUnauthorized: false }),

Check failure

Code scanning / CodeQL

Disabling certificate validation High

Disabling certificate validation is strongly discouraged.

Copilot Autofix

AI 3 months ago

General approach:
Don't disable certificate validation. Instead, always require HTTPS endpoints to present valid CA-signed certificates. If the upstream server (Proxmox, in this case) uses a self-signed certificate, explicitly trust that certificate by providing its CA file to the HTTPS agent used by axios, instead of blanket disabling validation.

Best fix detail:
Replace rejectUnauthorized: false with the default true (or omit, since true is the default). If the remote server uses a self-signed or private CA, provide a ca parameter to the https.Agent constructor, pointing to a PEM file containing the trusted certificate authority/certificate. Store this CA certificate in a location on disk (e.g., certs/proxmox-ca.pem), load it using fs.readFileSync, and use it in the agent.

Files/regions/lines to change:
Only modify the axios login request in create-a-container/server.js, line 74, and add CA file-reading code above to provide the CA cert for the HTTPS agent if needed. Importantly, do not disable validation at any point.

What is needed:

  • Add code at the top to load the CA file into a variable, if a CA cert is required.
  • Change the agent initialization in the axios call to use this CA.
  • Optionally, provide instructions or a placeholder for users to place their CA cert.
Suggested changeset 1
create-a-container/server.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/create-a-container/server.js b/create-a-container/server.js
--- a/create-a-container/server.js
+++ b/create-a-container/server.js
@@ -13,6 +13,15 @@
 const qs = require('querystring');
 const https = require('https');
 
+// Load trusted CA certificate to validate Proxmox (use your actual CA file)
+let proxmoxCa;
+try {
+  proxmoxCa = fs.readFileSync(path.join(__dirname, 'certs', 'proxmox-ca.pem'));
+} catch (err) {
+  console.error("ERROR: Could not load Proxmox CA certificate. Place it at ./certs/proxmox-ca.pem.");
+  process.exit(1);
+}
+
 const app = express();
 app.use(express.json());
 
@@ -71,7 +80,7 @@
     method: 'post',
     url: 'https://10.15.0.4:8006/api2/json/access/ticket',
     headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    httpsAgent: new https.Agent({ rejectUnauthorized: false }),
+    httpsAgent: new https.Agent({ ca: proxmoxCa }),
     data: qs.stringify({ username: username + '@pve', password: password })
   });
 
EOF
@@ -13,6 +13,15 @@
const qs = require('querystring');
const https = require('https');

// Load trusted CA certificate to validate Proxmox (use your actual CA file)
let proxmoxCa;
try {
proxmoxCa = fs.readFileSync(path.join(__dirname, 'certs', 'proxmox-ca.pem'));
} catch (err) {
console.error("ERROR: Could not load Proxmox CA certificate. Place it at ./certs/proxmox-ca.pem.");
process.exit(1);
}

const app = express();
app.use(express.json());

@@ -71,7 +80,7 @@
method: 'post',
url: 'https://10.15.0.4:8006/api2/json/access/ticket',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
httpsAgent: new https.Agent({ rejectUnauthorized: false }),
httpsAgent: new https.Agent({ ca: proxmoxCa }),
data: qs.stringify({ username: username + '@pve', password: password })
});

Copilot is powered by AI and may make mistakes. Always verify output.
@runleveldev
Copy link
Collaborator Author

runleveldev commented Oct 14, 2025

Merging with #62

@runleveldev runleveldev deleted the 53-create-a-container-depend-directly-on-authentication-and-do-not-invoke-as-cli branch October 14, 2025 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmyers-mieweb cmyers-mieweb Awaiting requested review from cmyers-mieweb

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

create-a-container: Depend directly on Authentication and do not invoke as cli

2 participants

@runleveldev