Skip to content

[WIP] fix(api): make API→runner TLS verification configurable#773

Draft
G4614 wants to merge 1 commit into
boxlite-ai:mainfrom
G4614:fix/sec-17-runner-tls-verify
Draft

[WIP] fix(api): make API→runner TLS verification configurable#773
G4614 wants to merge 1 commit into
boxlite-ai:mainfrom
G4614:fix/sec-17-runner-tls-verify

Conversation

@G4614

@G4614 G4614 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

⚠️ [WIP — not verified locally] Part of a source-level security audit. This
change compiles conceptually but was not built/run in the audit environment
(no NestJS build). Needs maintainer verification before un-drafting.

Problem

The internal API→runner proxy hop hard-coded secure: false
(boxlite-proxy.controller.ts), disabling TLS certificate verification. The hop
is Bearer-authenticated but has no integrity/MITM protection.

Change

Drive secure from BOXLITE_RUNNER_TLS_VERIFY, defaulting to false (prior
behavior — no breakage for runners with internal/self-signed certs), opt-in
true for operators whose runners present a verifiable certificate.

What needs a resource to verify

  • Build/run the NestJS API (apps/api) — not run here.
  • A runner presenting a verifiable TLS cert to confirm the hop succeeds with
    BOXLITE_RUNNER_TLS_VERIFY=true, and an e2e exec/proxy call through it.

Audit finding #17 (low).

🤖 Generated with Claude Code

@claude
fix(api): make API→runner TLS verification configurable [WIP]
5dae483 
The internal API→runner proxy hop hard-coded `secure: false`, disabling TLS
certificate verification. The hop is Bearer-authenticated but lacks
integrity/MITM protection.

Make it driven by BOXLITE_RUNNER_TLS_VERIFY, defaulting to the prior behavior
(disabled) so runners with internal/self-signed certs are not broken, and
allowing operators with verifiable runner certs to opt in.

[WIP] NOT verified locally: requires building/running the NestJS API plus a
runner with a verifiable TLS certificate to confirm the internal hop still
works with verification enabled. No NestJS build was run in this environment.

Audit finding boxlite-ai#17 (low).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d7b70975-8e97-4671-a602-ec702dbb18cb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@cla-assistant

cla-assistant Bot commented Jun 15, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@cla-assistant

cla-assistant Bot commented Jun 15, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@G4614