Skip to content

feat: enable insecure mode via INSECURE environment variable #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 10, 2025
Merged

feat: enable insecure mode via INSECURE environment variable #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,15 +130,18 @@ chmod +x install.sh

#### Configurable Environment Variables

| Variable Name | Default Value | Description |
| ------------- | ------------------ | ----------------------------------------------------------- |
| VERSION | latest | The CodeGPT version to install (defaults to latest release) |
| INSTALL_DIR | $HOME/.codegpt/bin | Installation directory |
| CURL_INSECURE | false | Skip SSL verification (true/false) |
| Variable Name | Default Value | Description |
| ------------- | ------------------ | ----------------------------------------------------------------------------- |
| VERSION | latest | The CodeGPT version to install (defaults to latest release) |
| INSTALL_DIR | $HOME/.codegpt/bin | Installation directory |
| INSECURE | unset (disabled) | If set to any value, skips SSL verification. Enabled when variable is present |

Example usage:

```sh
# Install with insecure mode enabled (ignoring curl SSL verification):
INSECURE=1 ./install.sh

# Install a specific version to a custom directory:
VERSION=1.1.0 INSTALL_DIR=/opt/codegpt ./install.sh
```
Expand Down
9 changes: 6 additions & 3 deletions README.zh-cn.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,16 @@ chmod +x install.sh

| 变量名 | 默认值 | 说明 |
| ------------- | ------------------ | ----------------------------------------- |
| VERSION | latest | 要安装的 CodeGPT 版本(默认为最新发布版) |
| INSTALL_DIR | $HOME/.codegpt/bin | 安装目录 |
| CURL_INSECURE | false | 是否跳过 SSL 验证 (true/false) |
| VERSION | latest | 要安装的 CodeGPT 版本(默认为最新发布版) |
| INSTALL_DIR | $HOME/.codegpt/bin | 安装目录 |
| INSECURE | 未设置(默认关闭) | 只要设置该变量(值不限),即跳过 SSL 验证 |

使用示例:

```sh
# 启用 insecure 模式(跳过 curl SSL 验证)
INSECURE=1 ./install.sh

# 安装指定版本到自定义目录
VERSION=1.1.0 INSTALL_DIR=/opt/codegpt ./install.sh
```
Expand Down
9 changes: 6 additions & 3 deletions README.zh-tw.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,13 +131,16 @@ chmod +x install.sh

| 變數名稱 | 預設值 | 說明 |
| ------------- | ------------------ | ----------------------------------------- |
| VERSION | latest | 要安裝的 CodeGPT 版本(預設為最新發布版) |
| INSTALL_DIR | $HOME/.codegpt/bin | 安裝目錄 |
| CURL_INSECURE | false | 是否跳過 SSL 驗證 (true/false) |
| VERSION | latest | 要安裝的 CodeGPT 版本(預設為最新發布版) |
| INSTALL_DIR | $HOME/.codegpt/bin | 安裝目錄 |
| INSECURE | 未設定(預設停用) | 只要設定該變數(值不限),就會啟用跳過 SSL 驗證模式 |

使用範例:

```sh
# 啟用 insecure 模式(忽略 SSL 驗證)
INSECURE=1 ./install.sh

# 安裝特定版本到自訂目錄
VERSION=1.1.0 INSTALL_DIR=/opt/codegpt ./install.sh
```
Expand Down
21 changes: 8 additions & 13 deletions install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ function download_and_install() {
# Use temp dir for download
TARGET="${TMPDIR}/${CLIENT_BINARY}"

curl -# -fSL --retry 5 --keepalive-time 2 ${INSECURE_OPTION} "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"
curl -# -fSL --retry 5 --keepalive-time 2 ${INSECURE_ARG} "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

As part of refactoring to use an array for optional arguments, please update this curl invocation. Using "${INSECURE_ARGS[@]}" ensures arguments are handled safely.

Suggested change
curl -# -fSL --retry 5 --keepalive-time 2 ${INSECURE_ARG} "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"
curl -# -fSL --retry 5 --keepalive-time 2 "${INSECURE_ARGS[@]}" "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"

chmod +x "${TARGET}" || log_error "Failed to set executable permission on: ${TARGET}" 7
# Move the binary to install dir and rename to codegpt
mv "${TARGET}" "${INSTALL_DIR}/codegpt" || log_error "Failed to move ${TARGET} to ${INSTALL_DIR}/codegpt" 8
Expand Down Expand Up @@ -104,9 +104,9 @@ function add_to_path() {
function get_latest_version() {
local latest
if command -v jq >/dev/null 2>&1; then
latest=$(curl $INSECURE_OPTION -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | jq -r .tag_name)
latest=$(curl $INSECURE_ARG -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | jq -r .tag_name)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

As part of refactoring to use an array for optional arguments, please update this curl invocation. Using "${INSECURE_ARGS[@]}" ensures arguments are handled safely.

Suggested change
latest=$(curl $INSECURE_ARG -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | jq -r .tag_name)
latest=$(curl "${INSECURE_ARGS[@]}" -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | jq -r .tag_name)

else
latest=$(curl $INSECURE_OPTION -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | grep '"tag_name":' | sed -E 's/.*"tag_name": ?"v?([^"]+)".*/\1/')
latest=$(curl $INSECURE_ARG -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | grep '"tag_name":' | sed -E 's/.*"tag_name": ?"v?([^"]+)".*/\1/')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

As part of refactoring to use an array for optional arguments, please update this curl invocation. Using "${INSECURE_ARGS[@]}" ensures arguments are handled safely.

Suggested change
latest=$(curl $INSECURE_ARG -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | grep '"tag_name":' | sed -E 's/.*"tag_name": ?"v?([^"]+)".*/\1/')
latest=$(curl "${INSECURE_ARGS[@]}" -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | grep '"tag_name":' | sed -E 's/.*"tag_name": ?"v?([^"]+)".*/\1/')

fi
# Remove leading 'v' if present
latest="${latest#v}"
Expand All @@ -120,18 +120,13 @@ for cmd in curl; do
fi
done

CURL_INSECURE="${CURL_INSECURE:-false}"
if [[ "${CURL_INSECURE}" != 'true' && "${CURL_INSECURE}" != 'false' ]]; then
log_error "CURL_INSECURE must be either 'true' or 'false'" 4
fi
if [[ "${CURL_INSECURE}" == 'true' ]]; then
print_message warning "WARNING: CURL_INSECURE is set to true. Proceeding with insecure download."
# If INSECURE is set to any value, enable curl --insecure
INSECURE_ARG=""
if [[ -n "${INSECURE:-}" ]]; then
INSECURE_ARG="--insecure"
print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
fi
Comment on lines +124 to 129
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For better script robustness, it's recommended to use an array to handle optional command arguments. This avoids potential word-splitting issues and is generally safer. This refactoring defines INSECURE_ARGS as an array, which will be empty by default and contain --insecure when needed.

I'll add suggestions to update the curl calls accordingly.

Suggested change
INSECURE_ARG=""
if [[ -n "${INSECURE:-}" ]]; then
INSECURE_ARG="--insecure"
print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
fi
if [[ -n "${INSECURE:-}" ]]; then
INSECURE_ARGS=('--insecure')
print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
else
INSECURE_ARGS=()
fi

Comment on lines +123 to 129
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Enable backward compatibility with deprecated CURL_INSECURE (optional)

Current behavior is correct per PR goals. To avoid breaking existing automation, optionally honor legacy CURL_INSECURE (any non-empty), and emit a deprecation warning.

 INSECURE_ARG=""
 if [[ -n "${INSECURE:-}" ]]; then
   INSECURE_ARG="--insecure"
   print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
   print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
 fi
+
+# Backward compatibility (deprecated). Prefer INSECURE=1.
+if [[ -z "${INSECURE:-}" && -n "${CURL_INSECURE:-}" ]]; then
+  INSECURE_ARG="--insecure"
+  print_message warning "WARNING: CURL_INSECURE is deprecated. Use INSECURE=1 instead."
+fi

To ensure all old references were removed elsewhere in the repo and that curl call sites now use INSECURE_ARG, run:

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Searching for legacy CURL_INSECURE..."
rg -n --hidden --glob '!*dist*' --glob '!*build*' --glob '!*node_modules*' 'CURL_INSECURE' || true
echo "Searching for curl sites using INSECURE_ARG..."
rg -n --hidden --glob '!*dist*' --glob '!*build*' --glob '!*node_modules*' 'curl .*INSECURE_ARG'

Length of output: 876

Honor legacy CURL_INSECURE for backward compatibility

All curl invocations in install.sh already use ${INSECURE_ARG} and there are no other references to CURL_INSECURE in the repo. You can safely add the following block immediately after the existing INSECURE check to optionally support the deprecated variable and emit a deprecation warning:

 INSECURE_ARG=""
 if [[ -n "${INSECURE:-}" ]]; then
   INSECURE_ARG="--insecure"
   print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
   print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
 fi

+# Backward compatibility (deprecated). Prefer INSECURE=1.
+if [[ -z "${INSECURE:-}" && -n "${CURL_INSECURE:-}" ]]; then
+  INSECURE_ARG="--insecure"
+  print_message warning "WARNING: CURL_INSECURE is deprecated. Use INSECURE=1 instead."
+fi

This ensures any existing automation relying on CURL_INSECURE continues to work while guiding users toward the new INSECURE flag.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# If INSECURE is set to any value, enable curl --insecure
INSECURE_ARG=""
if [[ -n "${INSECURE:-}" ]]; then
INSECURE_ARG="--insecure"
print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
fi
# If INSECURE is set to any value, enable curl --insecure
INSECURE_ARG=""
if [[ -n "${INSECURE:-}" ]]; then
INSECURE_ARG="--insecure"
print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
fi
# Backward compatibility (deprecated). Prefer INSECURE=1.
if [[ -z "${INSECURE:-}" && -n "${CURL_INSECURE:-}" ]]; then
INSECURE_ARG="--insecure"
print_message warning "WARNING: CURL_INSECURE is deprecated. Use INSECURE=1 instead."
fi
🤖 Prompt for AI Agents 
In install.sh around lines 123 to 129, add a check for the legacy CURL_INSECURE
environment variable immediately after the existing INSECURE check. If
CURL_INSECURE is set, assign "--insecure" to INSECURE_ARG and print a
deprecation warning message advising users to switch to the INSECURE variable.
This maintains backward compatibility while guiding users to update their usage.

INSECURE_OPTION=""
if [[ "${CURL_INSECURE}" == 'true' ]]; then
INSECURE_OPTION="--insecure"
fi

if [[ -z "${VERSION:-}" ]]; then
LATEST_VERSION=$(get_latest_version)
Expand Down
Loading