fix(node): suppress unavoidable InsecureSkipVerify alert for cert pinning

FetchCertFingerprint must accept any certificate by design: it fetches a not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin it. Disabling verification is inherent to that, so go/disabled-certificate-check cannot be cleared by code changes. Suppress the finding inline, matching the existing lgtm convention in custom_geo.go.
2026-06-03 10:59:34 +00:00 · 2026-06-02 03:58:52 +02:00
parent 327228d8f3
commit f0e459e51e
1 changed files with 5 additions and 14 deletions
--- a/web/service/node.go
+++ b/web/service/node.go
@@ -136,20 +136,10 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 	if err != nil {
 		return "", err
 	}
-	var fingerprint string
 	client := &http.Client{
 		Transport: &http.Transport{
-			DialContext: netsafe.SSRFGuardedDialContext,
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-				VerifyConnection: func(cs tls.ConnectionState) error {
-					if len(cs.PeerCertificates) > 0 {
-						sum := sha256.Sum256(cs.PeerCertificates[0].Raw)
-						fingerprint = base64.StdEncoding.EncodeToString(sum[:])
-					}
-					return nil
-				},
-			},
+			DialContext:     netsafe.SSRFGuardedDialContext,
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // lgtm[go/disabled-certificate-check]
 		},
 	}
 	resp, err := client.Do(req)
@@ -157,10 +147,11 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 		return "", err
 	}
 	defer resp.Body.Close()
-	if fingerprint == "" {
+	if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 {
 		return "", common.NewError("node did not present a TLS certificate")
 	}
-	return fingerprint, nil
+	sum := sha256.Sum256(resp.TLS.PeerCertificates[0].Raw)
+	return base64.StdEncoding.EncodeToString(sum[:]), nil
 }

 func (s *NodeService) GetAll() ([]*model.Node, error) {