中间人攻击: NODE_TLS_REJECT_UNAUTHORIZED enables Man-in-the-middle Attacks (MiTM)

The following exists in https://github.com/aliyun/oss-browser/blob/develop/main.js#L6 and has been present for 3 years according to the repository history.

It appears to also be present in downloads provided by alibabacloud.com
https://www.alibabacloud.com/help/en/oss/developer-reference/install-and-log-on-to-ossbrowser

```
// use self signed certificate for Apsara Stack
// https://stackoverflow.com/questions/58615762/will-an-electron-based-app-pass-system-wide-nodejs-environment-variables
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
```
`NODE_TLS_REJECT_UNAUTHORIZED` should be removed here as it allows for [MitM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) capabilities for adversaries.

A test was carried out locally to confirm:
![image](https://github.com/user-attachments/assets/edb406d0-345f-4f5e-a7ad-7906a8a42460)

Login credentials and data are likely not secure until this is fixed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

中间人攻击: NODE_TLS_REJECT_UNAUTHORIZED enables Man-in-the-middle Attacks (MiTM) #515

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

中间人攻击: NODE_TLS_REJECT_UNAUTHORIZED enables Man-in-the-middle Attacks (MiTM) #515

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions