From 802d02ec1ef88260145d7d99cf3ebe0556735f45 Mon Sep 17 00:00:00 2001
From: Kyle Larose <kyle@agilicus.com>
Date: Tue, 23 Aug 2022 15:16:08 -0400
Subject: [PATCH] do not disable tls verification in init

TLS verification for some reason is disabled by default globally by the
download package. This is done at init, which means simply importing the
package has the very dangerous, unexpected side effect of removing TLS
verification for any http client elsewere in the codebase using the
default http client.

Rather than disable TLS verification globally at init time, instead do
it as part of the bootstrap/run process so that applications using this
module do not inadvertently decrease their security.
---
 bootstrap/bootstrap.go     | 4 ++++
 utils/download/download.go | 5 -----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/bootstrap/bootstrap.go b/bootstrap/bootstrap.go
index 50aecfe..9930f65 100644
--- a/bootstrap/bootstrap.go
+++ b/bootstrap/bootstrap.go
@@ -1,10 +1,12 @@
 package bootstrap
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -41,6 +43,8 @@ func Run(productName, productTitle, productVersion string) {
 			}
 		}
 	}
+
+	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	userConfigDir, err := os.UserConfigDir()
 
 	userConfigDir = filepath.Join(userConfigDir, "Rocket Software")
diff --git a/utils/download/download.go b/utils/download/download.go
index d55e852..3fe530a 100644
--- a/utils/download/download.go
+++ b/utils/download/download.go
@@ -2,7 +2,6 @@ package download
 
 import (
 	"bytes"
-	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
@@ -100,7 +99,3 @@ func GetLastModifiedTime(url string) (time.Time, error) {
 	}
 	return lastModifiedTime, nil
 }
-
-func init() {
-	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-}