Skip to content

fix(security): TLS ssl_verify hardcoding and credential encryption issues#13203

Open
AlinsRan wants to merge 1 commit intoapache:masterfrom
AlinsRan:fix/tls-ssl-verify-credential-encryption
Open

fix(security): TLS ssl_verify hardcoding and credential encryption issues#13203
AlinsRan wants to merge 1 commit intoapache:masterfrom
AlinsRan:fix/tls-ssl-verify-credential-encryption

Conversation

@AlinsRan
Copy link
Copy Markdown
Contributor

@AlinsRan AlinsRan commented Apr 13, 2026

Summary

Fixes multiple TLS and encryption security vulnerabilities across several plugins.

Issues Fixed

wolf-rbac: hardcoded ssl_verify=false

  • Problem: All outbound HTTP calls to the Wolf RBAC server used ssl_verify = false, disabling certificate verification even for HTTPS endpoints.
  • Fix: Added ssl_verify field to plugin schema (no default — users opt in). Threaded through http_req(), http_get(), check_url_permission(), and request_to_wolf_server(). Also fixed check_schema to run core.schema.check before check_https, and added check_tls_bool call.

ai-rag plugin: no TLS certificate verification for Azure calls

  • Problem: The ai-rag plugin called Azure OpenAI Embeddings and Azure AI Search via resty.http without setting ssl_verify, meaning no certificate verification was performed. Also removed a stray type = "object" line from the schema properties table.
  • Fix: Added ssl_verify field to the top-level ai-rag schema (default true). Passed to both embedding and vector-search driver request_uri() calls.

aws-lambda: IAM credentials not encrypted at rest

  • Problem: The aws-lambda plugin defines authorization.apikey and authorization.iam.secretkey/accesskey fields but had no encrypt_fields declaration. These credentials were stored in plaintext in etcd.
  • Fix: Added encrypt_fields = {"authorization.apikey", "authorization.iam.accesskey", "authorization.iam.secretkey"} to the plugin schema.

Files Changed

  • apisix/plugins/wolf-rbac.lua
  • apisix/plugins/ai-rag.lua
  • apisix/plugins/ai-rag/embeddings/azure_openai.lua
  • apisix/plugins/ai-rag/vector-search/azure_ai_search.lua
  • apisix/plugins/aws-lambda.lua
  • t/plugin/wolf-rbac.t — TEST 38-40: ssl_verify schema validation
  • t/plugin/ai-rag.t — TEST 13-14: ssl_verify defaults to true, can be set false
  • t/plugin/aws-lambda.t — TEST 7: encrypt_fields covers all credential fields

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Apr 13, 2026
@AlinsRan AlinsRan force-pushed the fix/tls-ssl-verify-credential-encryption branch from 2fdfcc4 to e74a195 Compare April 14, 2026 09:07
fix(security): TLS ssl_verify hardcoding and credential encryption is…
633ffc6 
…sues

- wolf-rbac: add configurable ssl_verify field (default nil/false) to
  plugin schema; thread through http_req/http_get/check_url_permission/
  request_to_wolf_server; fix check_schema to run schema validation
  before check_https; add check_tls_bool call
- ai-rag: add ssl_verify field (default true) to plugin schema; pass
  ssl_verify to embeddings and vector-search driver request_uri calls;
  also remove stray 'type = object' line from properties table
- ai-rag/embeddings/azure_openai: accept ssl_verify param and pass to
  request_uri
- ai-rag/vector-search/azure_ai_search: accept ssl_verify param and
  pass to request_uri
- aws-lambda: add encrypt_fields for authorization.apikey,
  authorization.iam.accesskey, and authorization.iam.secretkey so
  credentials are stored encrypted at rest in etcd
@AlinsRan AlinsRan force-pushed the fix/tls-ssl-verify-credential-encryption branch from e74a195 to 633ffc6 Compare April 14, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlinsRan