feat(release): FTPS robustness — passive mode, TLS min, cert pinning, CA override, and optional insecure

2025-08-24 04:14:05 -05:00 · 2025-08-24 04:14:05 -05:00 · 7c0e4ff920
commit 7c0e4ff920
parent 38946e711c
2 changed files with 28 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -20,6 +20,19 @@ FTP_REMOTE_DIR=/path/on/server
 # If unset, the script auto-detects explicit when FTP_PROTOCOL=ftps and FTP_PORT=21.
 # FTPS_MODE=explicit

+# Optional connection flags
+# Use passive mode (some providers require this)
+# FTP_PASSIVE=true
+# Enforce TLS minimum (1.2 or 1.3)
+# TLS_MIN=1.2
+# Pin server certificate public key (recommended if provider's cert CN/SAN mismatch)
+# Accepts a base64 sha256 hash (sha256//...) or a PEM/DER file path
+# TLS_PINNED_PUBKEY=sha256//BASE64HASH
+# Provide a custom CA bundle file (PEM) if needed
+# TLS_CACERT=/path/to/ca-bundle.pem
+# As a last resort only, disable certificate verification (not recommended)
+# TLS_INSECURE=false
+
 # SFTP host verification (SFTP only; choose one)
 # SFTP_KNOWN_HOSTS=/home/you/.ssh/known_hosts
 # SFTP_HOST_PUBKEY_SHA256=base64sha256fingerprint
--- a/scripts/release-push.js
+++ b/scripts/release-push.js
@ -132,10 +132,25 @@ const baseUrl = `${scheme}://${host}${port ? `:${port}` : ''}${remoteDir}`;

 // Prepare common curl flags
 const curlBase = ['curl', '--fail', '--ftp-create-dirs'];
+// Optional passive mode
+if (String(process.env.FTP_PASSIVE || '').toLowerCase() === 'true') {
+  curlBase.push('--ftp-pasv');
+}
+// Optional TLS min version
+const tlsMin = String(process.env.TLS_MIN || '').trim();
+if (tlsMin === '1.2') curlBase.push('--tlsv1.2');
+else if (tlsMin === '1.3') curlBase.push('--tlsv1.3');
 if (protocol === 'ftps' && useExplicitFtps) {
  // Explicit FTPS (FTPES): connect plain on port 21 and then upgrade to TLS
  // Modern curl prefers --ssl-reqd; keep compatibility with older --ftp-ssl-reqd if available
  curlBase.push('--ssl-reqd');
+  // Security knobs: either pin the server cert public key, supply a custom CA bundle, or allow insecure as last resort
+  const pinned = process.env.TLS_PINNED_PUBKEY;
+  const cacert = process.env.TLS_CACERT;
+  const insecure = String(process.env.TLS_INSECURE || '').toLowerCase() === 'true';
+  if (pinned) curlBase.push('--pinnedpubkey', JSON.stringify(pinned));
+  if (cacert) curlBase.push('--cacert', JSON.stringify(cacert));
+  if (insecure) curlBase.push('--insecure');
 }
 // Detect curl option support dynamically to stay compatible with older curl versions
 function curlSupports(opt) {