FIX: [CodeQL: SM02184] Server certificate validation disabled in VssU…

…til.cs (#5068) * Changing the callback checking for custom certificate validation * Adding Unit Test and Comments
microsoft · Jan 17, 2025 · 1edb4ec · 1edb4ec
1 parent 10024e8
commit 1edb4ec
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/src/Agent.Sdk/Util/VssUtil.cs b/src/Agent.Sdk/Util/VssUtil.cs
@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using System.Globalization;
 using System.Net.Http;
+using System.Net.Security;
 using Microsoft.TeamFoundation.DistributedTask.WebApi;
 using Microsoft.VisualStudio.Services.Common;
 using Microsoft.VisualStudio.Services.WebApi;
@@ -163,21 +164,23 @@ public static bool IsCustomServerCertificateValidationSupported(ITraceWriter tra
             return true;
         }
 
+        // The function is to check if the custom server certificate validation is supported on the current platform.
         private static bool CheckSupportOfCustomServerCertificateValidation(ITraceWriter trace)
         {
             using (var handler = new HttpClientHandler())
             {
-                handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
+                handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return errors == SslPolicyErrors.None; };
 
                 using (var client = new HttpClient(handler))
                 {
                     try
                     {
                         client.GetAsync(_testUri).GetAwaiter().GetResult();
+                        trace.Verbose("Custom Server Validation Callback Successful, SSL diagnostic data collection is enabled.");
                     }
                     catch (Exception e)
                     {
-                        trace.Verbose($"SSL diagnostic data collection is disabled, due to issue:\n{e.Message}");
+                        trace.Verbose($"Custom Server Validation Callback Unsuccessful, SSL diagnostic data collection is disabled, due to issue:\n{e.Message}");
                         return false;
                     }
                     return true;

diff --git a/src/Test/L0/Util/VssUtilL0.cs b/src/Test/L0/Util/VssUtilL0.cs
@@ -59,5 +59,38 @@ public void VerifyOverwriteVssConnectionSetting()
                 }
             }
         }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void VerifyVSSConnectionUsingLegacyHandler()
+        {
+            Regex _serverSideAgentPlatformMatchingRegex = new Regex("vstsagentcore-(.+)(?=/)", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+            using (TestHostContext hc = new TestHostContext(this))
+            {
+                Tracing trace = hc.GetTrace();
+                // Act.
+                try
+                {
+                    Environment.SetEnvironmentVariable("AZP_AGENT_USE_LEGACY_HTTP", "true");
+
+                    var exception = Record.Exception(() =>
+                    {
+                        var connection = VssUtil.CreateConnection(
+                            new Uri("https://github.com/Microsoft/vsts-agent"),
+                            new VssCredentials(),
+                            trace);
+                    });
+
+                    Assert.Null(exception);
+                }
+                finally
+                {
+                    Environment.SetEnvironmentVariable("AZP_AGENT_USE_LEGACY_HTTP", "");
+                }
+            }
+
+        }
     }
 }