* Read NODE_EXTRA_CA_CERTS from settings/config as a fallback. * * NODE_EXTRA_CA_CERTS is categorized as a non-safe env var (it allows * trusting attacker-controlled servers), so it's only applied to process.env * after the trust dialog. But we need the CA cert early to establish the TLS * conn
()
| 57 | * require trust approval. |
| 58 | */ |
| 59 | function getExtraCertsPathFromConfig(): string | undefined { |
| 60 | try { |
| 61 | const globalConfig = getGlobalConfig() |
| 62 | const globalEnv = globalConfig?.env |
| 63 | // Only read from user-controlled settings (~/.claude/settings.json), |
| 64 | // not project-level settings, to prevent malicious projects from |
| 65 | // injecting CA certs before the trust dialog. |
| 66 | const settings = getSettingsForSource('userSettings') |
| 67 | const settingsEnv = settings?.env |
| 68 | |
| 69 | logForDebugging( |
| 70 | `CA certs: Config fallback - globalEnv keys: ${globalEnv ? Object.keys(globalEnv).join(',') : 'none'}, settingsEnv keys: ${settingsEnv ? Object.keys(settingsEnv).join(',') : 'none'}`, |
| 71 | ) |
| 72 | |
| 73 | // Settings override global config (same precedence as applyConfigEnvironmentVariables) |
| 74 | const path = |
| 75 | settingsEnv?.NODE_EXTRA_CA_CERTS || globalEnv?.NODE_EXTRA_CA_CERTS |
| 76 | if (path) { |
| 77 | logForDebugging( |
| 78 | `CA certs: Found NODE_EXTRA_CA_CERTS in config/settings: ${path}`, |
| 79 | ) |
| 80 | } |
| 81 | return path |
| 82 | } catch (error) { |
| 83 | logForDebugging(`CA certs: Config fallback failed: ${error}`, { |
| 84 | level: 'error', |
| 85 | }) |
| 86 | return undefined |
| 87 | } |
| 88 | } |
no test coverage detected