fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized (#32629)

* fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized

* fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized

* Fix SSL certificate verification for cloud requests

Fixed SSL certificate verification for Cypress cloud requests.

* fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized

* Update packages/data-context/src/sources/UtilDataSource.ts

* fix tests

* fix tests

Author: ryanthemanuel

cli/CHANGELOG.md

@@ -11,6 +11,7 @@ _Released 10/07/2025 (PENDING)_
 
 - Fixed a regression introduced in [`15.0.0`](https://docs.cypress.io/guides/references/changelog#15-0-0) where `dbus` connection error messages appear in docker containers when launching Cypress. Fixes [#32290](https://github.com/cypress-io/cypress/issues/32290).
 - Fixed code frames in `cy.origin` so that failed commands will show the correct line/column within the corresponding spec file. Addressed in [#32597](https://github.com/cypress-io/cypress/pull/32597).
+- Fixed Cypress cloud requests so that they properly verify SSL certificates. Addressed in [#32629](https://github.com/cypress-io/cypress/pull/32629).
 
 **Misc:**
 

packages/data-context/src/sources/UtilDataSource.ts

@@ -3,7 +3,7 @@ import type { DataContext } from '../DataContext'
 import { isDependencyInstalled, isDependencyInstalledByName } from '@packages/scaffold-config'
 
 // Require rather than import since data-context is stricter than network and there are a fair amount of errors in agent.
-const { agent } = require('@packages/network')
+const { strictAgent } = require('@packages/network')
 
 /**
  * this.ctx.util....
@@ -17,7 +17,7 @@ export class UtilDataSource {
   fetch (input: RequestInfo | URL, init?: RequestInit) {
     // @ts-ignore agent isn't a part of cross-fetch's API since it's not a part of the browser's fetch but it is a part of node-fetch
     // which is what will be used here
-    return fetch(input, { agent, ...init })
+    return fetch(input, { ...init, agent: strictAgent })
   }
 
   isDependencyInstalled (dependency: Cypress.CypressComponentDependency, projectPath: string) {

packages/data-context/test/unit/sources/UtilDataSource.spec.ts

@@ -0,0 +1,97 @@
+// Jest globals are available without import in this environment
+import fetch from 'cross-fetch'
+import { createTestDataContext } from '../helper'
+import { UtilDataSource } from '../../../src/sources/UtilDataSource'
+import { DataContext } from '../../../src'
+import { strictAgent } from '@packages/network'
+
+// Mock cross-fetch
+jest.mock('cross-fetch')
+const mockedFetch = jest.mocked(fetch)
+
+describe('UtilDataSource', () => {
+  let ctx: DataContext
+  let utilDataSource: UtilDataSource
+
+  beforeEach(() => {
+    ctx = createTestDataContext('open')
+    utilDataSource = new UtilDataSource(ctx)
+
+    // Reset all mocks
+    jest.clearAllMocks()
+  })
+
+  afterEach(() => {
+    ctx.destroy()
+  })
+
+  describe('#fetch', () => {
+    it('calls fetch with strictAgent and provided options', async () => {
+      const mockResponse = {
+        ok: true,
+        status: 200,
+        json: jest.fn().mockResolvedValue({ data: 'test' }),
+      } as any
+
+      mockedFetch.mockResolvedValue(mockResponse)
+
+      const url = 'https://example.com/api'
+      const init = { method: 'POST', body: 'test' }
+
+      const result = await utilDataSource.fetch(url, init)
+
+      expect(mockedFetch).toHaveBeenCalledWith(url, {
+        agent: strictAgent,
+        method: 'POST',
+        body: 'test',
+      })
+
+      expect(result).toBe(mockResponse)
+    })
+
+    it('calls fetch with only strictAgent when no init options provided', async () => {
+      const mockResponse = {
+        ok: true,
+        status: 200,
+        json: jest.fn().mockResolvedValue({ data: 'test' }),
+      } as any
+
+      mockedFetch.mockResolvedValue(mockResponse)
+
+      const url = 'https://example.com/api'
+
+      const result = await utilDataSource.fetch(url)
+
+      expect(mockedFetch).toHaveBeenCalledWith(url, {
+        agent: expect.any(Object), // strictAgent
+      })
+
+      expect(result).toBe(mockResponse)
+    })
+
+    it('merges init options with agent configuration', async () => {
+      const mockResponse = {
+        ok: true,
+        status: 200,
+      } as any
+
+      mockedFetch.mockResolvedValue(mockResponse)
+
+      const url = 'https://example.com/api'
+      const init = {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ test: 'data' }),
+      }
+
+      await utilDataSource.fetch(url, init)
+
+      expect(mockedFetch).toHaveBeenCalledWith(url, {
+        agent: strictAgent,
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ test: 'data' }),
+      })
+    })
+  })
+})

packages/network/lib/agent.ts

@@ -465,6 +465,18 @@ class HttpsAgent extends https.Agent {
   }
 }
 
+// NODE_TLS_REJECT_UNAUTHORIZED is set to '0' in Cypress to cover
+// all traffic to the user's app and `agent` honors this by default.
+// Calls to the Cloud should use the `strictAgent` or `api/index`'s
+// request promise implementation instead as they override
+// this functionality to actually reject in unauthorized situations.
 const agent = new CombinedAgent()
 
+// This agent always rejects unauthorized certificates.
+const strictAgent = new CombinedAgent({}, {
+  rejectUnauthorized: true,
+})
+
 export default agent
+
+export { strictAgent }

packages/network/lib/index.ts

@@ -1,4 +1,4 @@
-import agent from './agent'
+import agent, { strictAgent } from './agent'
 import * as blocked from './blocked'
 import * as connect from './connect'
 import * as cors from './cors'
@@ -14,6 +14,7 @@ export {
   httpUtils,
   uri,
   clientCertificates,
+  strictAgent,
 }
 
 export { allowDestroy } from './allow-destroy'

packages/server/lib/cloud/api/cloud_request.ts

@@ -5,7 +5,7 @@ import os from 'os'
 import followRedirects from 'follow-redirects'
 import axios, { AxiosInstance } from 'axios'
 import pkg from '@packages/root'
-import agent from '@packages/network/lib/agent'
+import { strictAgent } from '@packages/network/lib/agent'
 
 import app_config from '../../../config/app.json'
 import { installErrorTransform } from './axios_middleware/transform_error'
@@ -40,8 +40,8 @@ export const createCloudRequest = (options: CreateCloudRequestOptions = {}): Axi
 
   const instance = axios.create({
     baseURL,
-    httpAgent: agent,
-    httpsAgent: agent,
+    httpAgent: strictAgent,
+    httpsAgent: strictAgent,
     headers: {
       'x-os-name': os.platform(),
       'x-cypress-version': pkg.version,

packages/server/lib/cloud/api/studio/get_studio_bundle.ts

@@ -2,7 +2,7 @@ import { asyncRetry, linearDelay } from '../../../util/async_retry'
 import { isRetryableError } from '../../network/is_retryable_error'
 import fetch from 'cross-fetch'
 import os from 'os'
-import { agent } from '@packages/network'
+import { strictAgent } from '@packages/network'
 import { PUBLIC_KEY_VERSION } from '../../constants'
 import { createWriteStream } from 'fs'
 import { verifySignatureFromFile } from '../../encryption'
@@ -24,7 +24,7 @@ export const getStudioBundle = async ({ studioUrl, bundlePath }: { studioUrl: st
     try {
       const response = await fetch(studioUrl, {
         // @ts-expect-error - this is supported
-        agent,
+        agent: strictAgent,
         method: 'GET',
         headers: {
           'x-route-version': '1',

packages/server/lib/cloud/api/studio/post_studio_session.ts

@@ -2,7 +2,7 @@ import { asyncRetry, linearDelay } from '../../../util/async_retry'
 import { isRetryableError } from '../../network/is_retryable_error'
 import fetch from 'cross-fetch'
 import os from 'os'
-import { agent } from '@packages/network'
+import { strictAgent } from '@packages/network'
 
 const pkg = require('@packages/root')
 const routes = require('../../routes') as typeof import('../../routes')
@@ -17,7 +17,7 @@ export const postStudioSession = async ({ projectId }: PostStudioSessionOptions)
   return await (asyncRetry(async () => {
     const response = await fetch(routes.apiRoutes.studioSession(), {
       // @ts-expect-error - this is supported
-      agent,
+      agent: strictAgent,
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

packages/server/lib/cloud/network/put_fetch.ts

@@ -2,7 +2,7 @@ import crossFetch from 'cross-fetch'
 import { SystemError } from './system_error'
 import { HttpError } from './http_error'
 import { ParseError } from './parse_error'
-import { agent } from '@packages/network'
+import { strictAgent } from '@packages/network'
 import Debug from 'debug'
 
 const debug = Debug('cypress-verbose:server:cloud:api:put')
@@ -37,7 +37,7 @@ export async function putFetch<
       // types based on that rather than on node-fetch which it
       // actually uses under the hood. node-fetch supports `agent`.
       // @ts-expect-error
-      agent,
+      agent: strictAgent,
     })
 
     if (response.status >= 400) {

packages/server/lib/cloud/protocol.ts

@@ -6,7 +6,7 @@ import Debug from 'debug'
 import fs from 'fs-extra'
 import os from 'os'
 import path from 'path'
-import { agent } from '@packages/network'
+import { strictAgent } from '@packages/network'
 import pkg from '@packages/root'
 import env from '../util/env'
 import { putProtocolArtifact } from './api/put_protocol_artifact'
@@ -416,7 +416,7 @@ export class ProtocolManager implements ProtocolManagerShape {
 
       await fetch(routes.apiRoutes.captureProtocolErrors() as string, {
         // @ts-expect-error - this is supported
-        agent,
+        agent: strictAgent,
         method: 'POST',
         body,
         headers: {