Improve SSL security of target connections

lukehinds · lukehinds · commit 0b69c61d10b5 · 2024-12-12T08:53:58.000Z
Previously we were not checking the hostname and verifying a
cert as required. We also set up a basic ssl context in this PR

Note this is connection to a host, it does not require our
server key or set.
diff --git a/src/codegate/pipeline/secrets/signatures.py b/src/codegate/pipeline/secrets/signatures.py
@@ -175,8 +175,10 @@ def _load_signatures(cls) -> None:
             yaml_data = cls._load_yaml(cls._yaml_path)
 
             # Add custom GitHub token patterns
-            github_patterns = {"Access Token": r"ghp_[0-9a-zA-Z]{32}",
-                               "Personal Token": r"github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}"}
+            github_patterns = {
+                "Access Token": r"ghp_[0-9a-zA-Z]{32}",
+                "Personal Token": r"github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}",
+            }
             cls._add_signature_group("GitHub", github_patterns)
 
             # Process patterns from YAML
diff --git a/src/codegate/providers/copilot/provider.py b/src/codegate/providers/copilot/provider.py
@@ -350,15 +350,20 @@ async def connect_to_target(self):
             # Create SSL context for target connection
             logger.debug("Creating SSL context for target connection")
             target_ssl_context = ssl.create_default_context()
-            # Don't verify certificates when connecting to target
-            target_ssl_context.check_hostname = False
-            target_ssl_context.verify_mode = ssl.CERT_NONE
 
-            # Connect directly to target host
+            # Ensure that the target SSL certificate is verified
+            target_ssl_context.check_hostname = True
+            target_ssl_context.verify_mode = ssl.CERT_REQUIRED
+
+            # Connect to target
             logger.debug(f"Connecting to {self.target_host}:{self.target_port}")
             target_protocol = CopilotProxyTargetProtocol(self)
             transport, _ = await self.loop.create_connection(
-                lambda: target_protocol, self.target_host, self.target_port, ssl=target_ssl_context
+                lambda: target_protocol,
+                self.target_host,
+                self.target_port,
+                ssl=target_ssl_context,
+                server_hostname=self.target_host,
             )
 
             logger.debug(f"Successfully connected to {self.target_host}:{self.target_port}")
