wagesj45/archive-org-link-grabber
wagesj45/archive-org-link-grabber
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(release): FTPS robustness — passive mode, TLS min, cert pinning, CA override, and optional insecure

Browse source
This commit is contained in:
Jordan Wages 2025-08-24 04:14:05 -05:00
commit 7c0e4ff920
2 changed files with 28 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
.env.example
View file

@ -20,6 +20,19 @@ FTP_REMOTE_DIR=/path/on/server
# If unset, the script auto-detects explicit when FTP_PROTOCOL=ftps and FTP_PORT=21. # If unset, the script auto-detects explicit when FTP_PROTOCOL=ftps and FTP_PORT=21.
# FTPS_MODE=explicit # FTPS_MODE=explicit
# Optional connection flags
# Use passive mode (some providers require this)
# FTP_PASSIVE=true
# Enforce TLS minimum (1.2 or 1.3)
# TLS_MIN=1.2
# Pin server certificate public key (recommended if provider's cert CN/SAN mismatch)
# Accepts a base64 sha256 hash (sha256//...) or a PEM/DER file path
# TLS_PINNED_PUBKEY=sha256//BASE64HASH
# Provide a custom CA bundle file (PEM) if needed
# TLS_CACERT=/path/to/ca-bundle.pem
# As a last resort only, disable certificate verification (not recommended)
# TLS_INSECURE=false
# SFTP host verification (SFTP only; choose one) # SFTP host verification (SFTP only; choose one)
# SFTP_KNOWN_HOSTS=/home/you/.ssh/known_hosts # SFTP_KNOWN_HOSTS=/home/you/.ssh/known_hosts
# SFTP_HOST_PUBKEY_SHA256=base64sha256fingerprint # SFTP_HOST_PUBKEY_SHA256=base64sha256fingerprint

15
scripts/release-push.js
View file

@ -132,10 +132,25 @@ const baseUrl = `${scheme}://${host}${port ? `:${port}` : ''}${remoteDir}`;
// Prepare common curl flags // Prepare common curl flags
const curlBase = ['curl', '--fail', '--ftp-create-dirs']; const curlBase = ['curl', '--fail', '--ftp-create-dirs'];
// Optional passive mode
if (String(process.env.FTP_PASSIVE || '').toLowerCase() === 'true') {
curlBase.push('--ftp-pasv');
}
// Optional TLS min version
const tlsMin = String(process.env.TLS_MIN || '').trim();
if (tlsMin === '1.2') curlBase.push('--tlsv1.2');
else if (tlsMin === '1.3') curlBase.push('--tlsv1.3');
if (protocol === 'ftps' && useExplicitFtps) { if (protocol === 'ftps' && useExplicitFtps) {
// Explicit FTPS (FTPES): connect plain on port 21 and then upgrade to TLS // Explicit FTPS (FTPES): connect plain on port 21 and then upgrade to TLS
// Modern curl prefers --ssl-reqd; keep compatibility with older --ftp-ssl-reqd if available // Modern curl prefers --ssl-reqd; keep compatibility with older --ftp-ssl-reqd if available
curlBase.push('--ssl-reqd'); curlBase.push('--ssl-reqd');
// Security knobs: either pin the server cert public key, supply a custom CA bundle, or allow insecure as last resort
const pinned = process.env.TLS_PINNED_PUBKEY;
const cacert = process.env.TLS_CACERT;
const insecure = String(process.env.TLS_INSECURE || '').toLowerCase() === 'true';
if (pinned) curlBase.push('--pinnedpubkey', JSON.stringify(pinned));
if (cacert) curlBase.push('--cacert', JSON.stringify(cacert));
if (insecure) curlBase.push('--insecure');
} }
// Detect curl option support dynamically to stay compatible with older curl versions // Detect curl option support dynamically to stay compatible with older curl versions
function curlSupports(opt) { function curlSupports(opt) {