From 88dc30a721b8667ce75e2ee4445a2d839a379a32 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 7 May 2026 05:08:54 -0400 Subject: [PATCH] [dwds] Remove unconditional TLS certificate trust in ProxyServerAssetReader The HTTPS branch of `ProxyServerAssetReader` configured the underlying `HttpClient` with `badCertificateCallback = (cert, host, port) => true`, silently disabling TLS certificate validation. Use the default validator so untrusted, expired, or hostname-mismatched certificates are rejected. Callers needing to trust a private CA should configure a `SecurityContext` on the `HttpClient` themselves. --- dwds/CHANGELOG.md | 5 +++++ dwds/lib/src/readers/proxy_server_asset_reader.dart | 4 +--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dwds/CHANGELOG.md b/dwds/CHANGELOG.md index 4ca56d1fc..6117d6563 100644 --- a/dwds/CHANGELOG.md +++ b/dwds/CHANGELOG.md @@ -1,5 +1,10 @@ ## 27.1.2-wip +- Remove the `badCertificateCallback` override in `ProxyServerAssetReader` that + unconditionally accepted any TLS certificate when `isHttps: true` was set. + Callers that need to trust a private CA should configure a `SecurityContext` + on the `HttpClient` themselves. (CWE-295) + ## 27.1.1 - Fix deserialization errors appearing in the chrome console. diff --git a/dwds/lib/src/readers/proxy_server_asset_reader.dart b/dwds/lib/src/readers/proxy_server_asset_reader.dart index 4225ba9bd..4b248a583 100644 --- a/dwds/lib/src/readers/proxy_server_asset_reader.dart +++ b/dwds/lib/src/readers/proxy_server_asset_reader.dart @@ -32,9 +32,7 @@ class ProxyServerAssetReader implements AssetReader { ..maxConnectionsPerHost = 200 ..idleTimeout = const Duration(seconds: 30) ..connectionTimeout = const Duration(seconds: 30); - final client = isHttps - ? IOClient(inner..badCertificateCallback = (cert, host, port) => true) - : IOClient(inner); + final client = IOClient(inner); var url = '$scheme$host:$assetServerPort/'; if (root.isNotEmpty) url += '$root/'; final handler = proxyHandler(url, client: client);