removing ssl inspection capabilities

koalalab-inc · May 7, 2024 · bcc189c · bcc189c
1 parent 98663d6
commit bcc189c
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 78 deletions.
diff --git a/README.md b/README.md
@@ -48,8 +48,6 @@ You can configuree the Bolt action using inputs. Here is an example of how to co
         - name: 'Allow GitHub subs'
           destination: '*.github.com'
           action: 'allow'
-      trusted_github_accounts: |
-        - 'akto-api-security'
       disable_passwordless_sudo: 'false'
       default_policy: 'block-all'
       allow_http: 'false'
@@ -59,7 +57,6 @@ You can configuree the Bolt action using inputs. Here is an example of how to co
 ---------------------------------|---------------------------------
 | `mode` | Configure the mode of operation for the Bolt gateway. It can be `audit` or `active`. Default: `audit` |
 | `egress_rules` | A list of custom egress rules to be applied. Default: `[]`.
-| `trusted_github_accounts` | A list of trusted GitHub accounts.  Default: `[]`. The account in which workflow is running will always be trusted.
 | `disable_passwordless_sudo` | Whether to disable passwordless sudo or not. Default: `false` |
 | `allow_http` | Whether to allow non-secure HTTP requests or not. Default: `false`
 | `default_policy` | It can be either `block-all` or `allow-all`. Default: `block-all` |
@@ -115,36 +112,15 @@ Once the job is over, bolt will add a egress traffic report to the job summary.
 
 </details>
 
-<details open>
-  <summary>
-    <h4>🔒 Trusted Github Accounts</h4>
-
-  </summary>
-  <table><tr><th>Github Account</th></tr><tr><td>akto-api-security</td></tr></table>
-
-</details>
-      <blockquote>NOTE: The account in which workflow runs is always trusted.</blockquote>
 <h3>📝 Egress rules</h3>
 <pre lang="yaml"><code>- destination: google.com
   action: block
   name: Block Google
 - destination: ifconfig.me
   action: allow
   name: Allow ifconfig.me</code></pre>
-<h3>🚨 Requests to untrusted GitHub accounts found</h3>
 
-> [!CAUTION]
-> If you do not recognize these GitHub Accounts, you may want to investigate further. Add them to your trusted GitHub accounts if this is expected. See [Docs](https://github.com/koalalab-inc/bolt?tab=readme-ov-file#configure) for more information.
-
-<details open>
-  <summary>
-    razorpay
-  </summary>
-  <ul>
-    <li>/orgs/razorpay/repos</li>
-  </ul>
-</details>
-        <h3>Egress Traffic</h3>
+<h3>Egress Traffic</h3>
 <blockquote>NOTE: Running in Audit mode. Unknown/unverified destinations will be blocked in Active mode.</blockquote>
 
 <details open>

diff --git a/badges/coverage.svg b/badges/coverage.svg
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/intercept.py b/src/intercept.py
@@ -212,13 +212,15 @@ def tls_clienthello(self, data):
 
         data.context.matched_rules = matched_rules
 
-        has_paths = len(matched_rules) > 0 and "paths" in matched_rules[0]
+        # Disabling path based rules for now as it requires SSL inspection
+        # has_paths = len(matched_rules) > 0 and "paths" in matched_rules[0]
 
-        if has_paths:
-            return
+        # if has_paths:
+        #     return
 
-        if destination in ["github.com", "api.github.com"]:
-            return
+        # Disabling SSL inspection for github.com and api.github.com
+        # if destination in ["github.com", "api.github.com"]:
+        # return
 
         applied_rule = matched_rules[0] if len(matched_rules) > 0 else None
         if applied_rule is not None:
@@ -263,7 +265,7 @@ def tls_start_client(self, data):
         logging.info("tls_start_client")
         action = data.context.action
         if action == "block" and self.mode != "audit":
-            data.ssl_conn = SSL.Connection(SSL.Context(SSL.SSLv23_METHOD))
+            data.ssl_conn = SSL.Connection(SSL.Context(SSL.TLSv1_2_METHOD))
             data.conn.error = "TLS Handshake failed"
 
     # pylint: disable=too-many-branches,too-many-locals,too-many-statements

diff --git a/src/summary.js b/src/summary.js
@@ -271,28 +271,28 @@ ${configTableString}
       .addEOL()
   }
 
-  if (untrustedGithubAccounts.length > 0) {
-    summary = summary.addHeading(
-      '🚨 Requests to untrusted GitHub accounts found',
-      3
-    ).addRaw(`
-> [!CAUTION]
-> If you do not recognize these GitHub Accounts, you may want to investigate further. Add them to your trusted GitHub accounts if this is expected. See [Docs](https://github.com/koalalab-inc/bolt?tab=readme-ov-file#configure) for more information.
-      `)
-
-    for (const account of untrustedGithubAccounts) {
-      summary = summary.addRaw(`
-<details open>
-  <summary>
-    ${account.name}
-  </summary>
-  <ul>
-    ${account.paths.map(({ method, path }) => `<li><b>[${method}]</b> ${path}</li>`).join('')}
-  </ul>
-</details>
-        `)
-    }
-  }
+  //   if (untrustedGithubAccounts.length > 0) {
+  //     summary = summary.addHeading(
+  //       '🚨 Requests to untrusted GitHub accounts found',
+  //       3
+  //     ).addRaw(`
+  // > [!CAUTION]
+  // > If you do not recognize these GitHub Accounts, you may want to investigate further. Add them to your trusted GitHub accounts if this is expected. See [Docs](https://github.com/koalalab-inc/bolt?tab=readme-ov-file#configure) for more information.
+  //       `)
+
+  //     for (const account of untrustedGithubAccounts) {
+  //       summary = summary.addRaw(`
+  // <details open>
+  //   <summary>
+  //     ${account.name}
+  //   </summary>
+  //   <ul>
+  //     ${account.paths.map(({ method, path }) => `<li><b>[${method}]</b> ${path}</li>`).join('')}
+  //   </ul>
+  // </details>
+  //         `)
+  //     }
+  //   }
 
   summary = summary.addRaw(auditSummaryRaw)
 

diff --git a/src/version.js b/src/version.js
@@ -1,4 +1,4 @@
-const releaseVersion = 'v1.4.3'
+const releaseVersion = 'v1.5.0-rc'
 
 module.exports = {
   releaseVersion