Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| context = OpenSSL::SSL::SSLContext.new | ||
| ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp, context) | ||
| ssl_socket.hostname = @host | ||
| ssl_socket.sync_close = true | ||
| ssl_socket.connect |
There was a problem hiding this comment.
Verify TLS certificates for wss connections
When a wss endpoint is used the socket is wrapped in OpenSSL::SSL::SSLSocket without configuring any verification on the SSLContext. By default verify_mode is VERIFY_NONE, so the client happily accepts any certificate and is vulnerable to man‑in‑the‑middle attacks. The context should load the system trust store and set verify_mode: OpenSSL::SSL::VERIFY_PEER before connect to ensure the server certificate is validated.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Summary
- Configured the WebSocket TLS setup to require peer verification, enable hostname checking when supported, and load the system trust store before establishing secure sockets. lib/eth/client/websocket.rbL110-L121
- Added a unit spec that stubs the SSL stack to ensure WSS connections configure certificate verification as expected. spec/eth/client/websocket_spec.rbL204-L233
Testing
⚠️ bundle exec rspec spec/eth/client/websocket_spec.rb(failed: bundler reportedcommand not found: rspec)
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #388 +/- ##
==========================================
- Coverage 99.71% 99.09% -0.62%
==========================================
Files 89 91 +2
Lines 6316 6659 +343
==========================================
+ Hits 6298 6599 +301
- Misses 18 60 +42 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
* commit 'ab969176faf033eb0a6387b875ee3aa677c4bacf': build(deps): bump JamesIves/github-pages-deploy-action (q9f#395) build(deps): bump actions/checkout from 5 to 6 (q9f#394) add JSONRPC error code to Client::RpcError (q9f#392) Update README.md (q9f#393) build(deps): bump github/codeql-action from 3 to 4 (q9f#390) client/ws: fix client origin headers for ws requests (q9f#391) Rename websocket client to Ws and expand websocket tests (q9f#389) Add WebSocket transport to client (q9f#388) Support tuple arrays in ABI coder (q9f#387) Format EIP-4844 transaction constant (q9f#386) Fix ABI tuple handling for ethers test cases (q9f#385) Increase blob throughput limits (q9f#363) feat: use httpx for http requests (q9f#377) (q9f#382) fix: transform hash keys to strings in encoder for component type compatibility (q9f#378) fix: improve error handling for missing keys in component encoding (q9f#376) build(deps): bump actions/checkout from 4 to 5 (q9f#379) # Conflicts: # eth.gemspec # lib/eth/client/http.rb
Summary