[repo-monitor] High: TLS certificate verification can be disabled with no warning

[Liohtml]

Summary

Setting verify_ssl(false) in FetcherConfig disables TLS certificate validation for all requests globally with no log warning, enabling man-in-the-middle attacks.

Location

• File: src/fetchers/client.rs
• Line(s): 23

Severity

High

Details

.danger_accept_invalid_certs(!config.verify_ssl);

Setting verify_ssl = false disables TLS certificate validation for all requests. There is no warning to users that this is insecure. The danger_accept_invalid_certs name from reqwest itself signals this should be used with great care.

Suggested Fix

Add a prominent log warning when TLS verification is disabled:

if !config.verify_ssl {
    log::warn!("SSL certificate verification is DISABLED. This is insecure and must not be used in production.");
}

Also add a # Security section to the field's doc comment.

---

Automated finding by repo-monitor

[Liohtml]

Analysis

Confirmed. src/fetchers/client.rs:23: danger_accept_invalid_certs(!config.verify_ssl). When verify_ssl = false, TLS certificate validation is completely disabled with no warning to the user.

This is arguably a feature (some scrapers need to target internal services with self-signed certs), but the danger is the silent default. If verify_ssl defaults to true in FetcherConfig, then explicit opt-in is fine. The only issue is the absence of a warning.

One-line fix:

// src/fetchers/client.rs — in the client builder:
if !config.verify_ssl {
    log::warn!(
        "TLS certificate verification is DISABLED. \
         This exposes you to man-in-the-middle attacks. \
         Only use this for testing or trusted internal networks."
    );
}
builder = builder.danger_accept_invalid_certs(!config.verify_ssl);

This is cosmetic in isolation, but important for operations: if a spider configuration accidentally has verify_ssl: false set, this warning would appear in logs and alert the operator.

Also worth noting: The method name danger_accept_invalid_certs is already a strong signal to developers reading the code. The missing piece is surfacing that signal at runtime to operators.

Effort: 5 min.