fix: honor requestTls when proxy is SOCKS5

tonghuaroot · mcollina · commit 04201f894704 · 2026-06-12T15:51:55.000+02:00
ProxyAgent silently dropped opts.requestTls when the configured proxy URI was socks5:// (or socks://). Socks5ProxyAgent also lacked any equivalent of requestTls, so even constructed directly it had no way to configure target HTTPS TLS settings (ca, cert, key, rejectUnauthorized, servername). The inner connect callback called tls.connect with ...connectOpts.tls || {} but undici's internal connectOpts never populates a .tls field, so the spread was a dead expression. This change: - Forwards opts.requestTls from ProxyAgent to Socks5ProxyAgent. - Adds a requestTls constructor option on Socks5ProxyAgent stored in the kRequestTls symbol. - Applies it on the inner tls.connect for the target HTTPS upgrade, with socket overriding (must point at the SOCKS5 tunnel) and servername defaulting to targetHost but allowing user override to match the HTTP-proxy path semantics. - Documents the new option in Socks5ProxyAgent.md. - Adds two regression tests covering both the direct Socks5ProxyAgent path and the ProxyAgent forwarding path. Refs GHSA-vmh5-mc38-953g (cherry picked from commit 42d4955) Signed-off-by: Matteo Collina <hello@matteocollina.com>
diff --git a/docs/docs/api/Socks5ProxyAgent.md b/docs/docs/api/Socks5ProxyAgent.md
@@ -22,6 +22,7 @@ Extends: [`PoolOptions`](/docs/docs/api/Pool.md#parameter-pooloptions)
 * **password** `string` (optional) - SOCKS5 proxy password for authentication. Can also be provided in the proxy URL.
 * **connect** `Function` (optional) - Custom connector function for the proxy connection.
 * **proxyTls** `BuildOptions` (optional) - TLS options for the proxy connection (when using SOCKS5 over TLS).
+* **requestTls** `BuildOptions` (optional) - TLS options applied to the HTTPS connection to the target server through the SOCKS5 tunnel. Use this to configure `ca`, `cert`, `key`, `rejectUnauthorized`, `servername`, etc. for the target HTTPS endpoint.
 
 Examples:
 
diff --git a/lib/dispatcher/proxy-agent.js b/lib/dispatcher/proxy-agent.js
@@ -142,7 +142,8 @@ class ProxyAgent extends DispatcherBase {
           factory: agentFactory,
           username: opts.username || username,
           password: opts.password || password,
-          proxyTls: opts.proxyTls
+          proxyTls: opts.proxyTls,
+          requestTls: opts.requestTls
         })
       }
 
diff --git a/lib/dispatcher/socks5-proxy-agent.js b/lib/dispatcher/socks5-proxy-agent.js
@@ -19,6 +19,7 @@ const kProxyAuth = Symbol('proxy auth')
 const kProxyProtocol = Symbol('proxy protocol')
 const kPools = Symbol('pools')
 const kConnector = Symbol('connector')
+const kRequestTls = Symbol('request tls settings')
 
 // Static flag to ensure warning is only emitted once per process
 let experimentalWarningEmitted = false
@@ -53,6 +54,7 @@ class Socks5ProxyAgent extends DispatcherBase {
     this[kProxyUrl] = url
     this[kProxyHeaders] = options.headers || {}
     this[kProxyProtocol] = options.proxyTls ? 'https:' : 'http:'
+    this[kRequestTls] = options.requestTls
 
     // Extract auth from URL or options
     this[kProxyAuth] = {
@@ -199,9 +201,9 @@ class Socks5ProxyAgent extends DispatcherBase {
                 }
                 debug('upgrading to TLS')
                 finalSocket = tls.connect({
+                  ...this[kRequestTls],
                   socket,
-                  servername: targetHost,
-                  ...connectOpts.tls || {}
+                  servername: this[kRequestTls]?.servername || targetHost
                 })
 
                 await new Promise((resolve, reject) => {
diff --git a/test/socks5-proxy-agent.js b/test/socks5-proxy-agent.js
@@ -1,14 +1,53 @@
 'use strict'
 
 const net = require('node:net')
+const https = require('node:https')
 const { tspl } = require('@matteo.collina/tspl')
-const { test } = require('node:test')
-const { request } = require('..')
+const { test, after } = require('node:test')
+const { request, ProxyAgent } = require('..')
 const { InvalidArgumentError } = require('../lib/core/errors')
 const Socks5ProxyAgent = require('../lib/dispatcher/socks5-proxy-agent')
 const { createServer } = require('node:http')
 const { TestSocks5Server } = require('./fixtures/socks5-test-server')
 
+const tlsCerts = (() => {
+  const forge = require('node-forge')
+  const createCert = (cn, issuer, keyLength = 2048) => {
+    const keys = forge.pki.rsa.generateKeyPair(keyLength)
+    const cert = forge.pki.createCertificate()
+    cert.publicKey = keys.publicKey
+    cert.serialNumber = '' + Date.now()
+    cert.validity.notBefore = new Date()
+    cert.validity.notAfter = new Date()
+    cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 10)
+    const attrs = [{ name: 'commonName', value: cn }]
+    cert.setSubject(attrs)
+    const isCa = issuer === undefined
+    cert.setExtensions([
+      { name: 'basicConstraints', cA: isCa },
+      { name: 'subjectAltName', altNames: [{ type: 2, value: cn }] }
+    ])
+    const alg = forge.md.sha256.create()
+    if (issuer !== undefined) {
+      cert.setIssuer(issuer.certificate.subject.attributes)
+      cert.sign(issuer.privateKey, alg)
+    } else {
+      cert.setIssuer(attrs)
+      cert.sign(keys.privateKey, alg)
+    }
+    return { privateKey: keys.privateKey, publicKey: keys.publicKey, certificate: cert }
+  }
+  const root = createCert('socks5-test-ca')
+  const server = createCert('localhost', root)
+  return {
+    root: { crt: forge.pki.certificateToPem(root.certificate) },
+    server: {
+      key: forge.pki.privateKeyToPem(server.privateKey),
+      crt: forge.pki.certificateToPem(server.certificate)
+    }
+  }
+})()
+
 test('Socks5ProxyAgent - constructor validation', async (t) => {
   const p = tspl(t, { plan: 4 })
 
@@ -432,3 +471,87 @@ test('Socks5ProxyAgent - URL parsing edge cases', async (t) => {
 
   await p.completed
 })
+
+test('Socks5ProxyAgent - requestTls is honored for target HTTPS connection (GHSA-vmh5-mc38-953g)', async (t) => {
+  const p = tspl(t, { plan: 2 })
+
+  // HTTPS server with a cert signed by tlsCerts.root, NOT in Node's default trust store
+  const server = https.createServer({
+    key: tlsCerts.server.key,
+    cert: tlsCerts.server.crt
+  }, (req, res) => {
+    res.writeHead(200, { 'content-type': 'application/json' })
+    res.end(JSON.stringify({ ok: true }))
+  })
+  await new Promise(resolve => server.listen(0, '127.0.0.1', resolve))
+  const serverPort = server.address().port
+
+  // SOCKS5 server that forwards CONNECT to the local HTTPS server
+  const socksServer = new TestSocks5Server()
+  const socksAddress = await socksServer.listen()
+
+  // Use Socks5ProxyAgent directly with requestTls
+  const proxyAgent = new Socks5ProxyAgent(`socks5://127.0.0.1:${socksAddress.port}`, {
+    requestTls: {
+      ca: [tlsCerts.root.crt]
+    }
+  })
+
+  after(async () => {
+    await proxyAgent.close()
+    server.close()
+    await socksServer.close()
+  })
+
+  // The HTTPS request via SOCKS5 should succeed because requestTls.ca contains the root CA
+  // that signed the server cert. Without honoring requestTls, Node would default to Mozilla
+  // CA bundle and reject the cert.
+  const response = await request(`https://localhost:${serverPort}/`, {
+    dispatcher: proxyAgent
+  })
+  p.strictEqual(response.statusCode, 200, 'request should succeed when requestTls.ca is honored')
+  const body = await response.body.json()
+  p.deepStrictEqual(body, { ok: true })
+
+  await p.completed
+})
+
+test('ProxyAgent forwards requestTls to Socks5ProxyAgent (GHSA-vmh5-mc38-953g)', async (t) => {
+  const p = tspl(t, { plan: 2 })
+
+  const server = https.createServer({
+    key: tlsCerts.server.key,
+    cert: tlsCerts.server.crt
+  }, (req, res) => {
+    res.writeHead(200, { 'content-type': 'application/json' })
+    res.end(JSON.stringify({ ok: true }))
+  })
+  await new Promise(resolve => server.listen(0, '127.0.0.1', resolve))
+  const serverPort = server.address().port
+
+  const socksServer = new TestSocks5Server()
+  const socksAddress = await socksServer.listen()
+
+  // Use top-level ProxyAgent with socks5 URI + requestTls; the option must be forwarded.
+  const proxyAgent = new ProxyAgent({
+    uri: `socks5://127.0.0.1:${socksAddress.port}`,
+    requestTls: {
+      ca: [tlsCerts.root.crt]
+    }
+  })
+
+  after(async () => {
+    await proxyAgent.close()
+    server.close()
+    await socksServer.close()
+  })
+
+  const response = await request(`https://localhost:${serverPort}/`, {
+    dispatcher: proxyAgent
+  })
+  p.strictEqual(response.statusCode, 200, 'request should succeed when ProxyAgent forwards requestTls')
+  const body = await response.body.json()
+  p.deepStrictEqual(body, { ok: true })
+
+  await p.completed
+})

Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,8 @@ class ProxyAgent extends DispatcherBase {`
`142`	`142`	`factory: agentFactory,`
`143`	`143`	`username: opts.username \|\| username,`
`144`	`144`	`password: opts.password \|\| password,`
`145`		`- proxyTls: opts.proxyTls`
	`145`	`+ proxyTls: opts.proxyTls,`
	`146`	`+ requestTls: opts.requestTls`
`146`	`147`	`})`
`147`	`148`	`}`
`148`	`149`