Skip to content

[TC-004] Remove insecure (-k) option from curl commands to not skip SSL cert verification#3678

Open
kdeakinstructure wants to merge 1 commit intomasterfrom
TC-004-remove-k-from-curl-command-to-not-skip-ssl-certification
Open

[TC-004] Remove insecure (-k) option from curl commands to not skip SSL cert verification#3678
kdeakinstructure wants to merge 1 commit intomasterfrom
TC-004-remove-k-from-curl-command-to-not-skip-ssl-certification

Conversation

@kdeakinstructure
Copy link
Copy Markdown
Contributor

@kdeakinstructure kdeakinstructure commented May 4, 2026

-k was unnecessarily skipped the SSL cert verification.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

🧪 Unit Test Results

📊 Summary

  • Total Tests: 0
  • Failed: 0
  • Skipped: 0
  • Status: ⚠️ No test results found

Last updated: Mon, 04 May 2026 14:12:52 GMT

claude[bot]
claude Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Remove -k (insecure) flag from curl commands

Overview

This PR removes the -k / --insecure flag from three curl invocations in apps/postProcessTestRun.bash. This flag disables SSL/TLS certificate verification, which means curl previously accepted any certificate (expired, self-signed, or from an untrusted CA) without complaint — a classic vector for man-in-the-middle attacks. Removing it restores proper certificate validation for outbound requests to the Observe telemetry endpoint.

Assessment

This is a clean, focused, and correct security fix. No logic is changed — only the TLS enforcement posture is corrected.

Checklist

  • Missing trailing newline (apps/postProcessTestRun.bash, line 162) — the file still lacks a POSIX-required trailing newline (see inline comment).

Positive Notes

  • Removing -k is the right call. The Observe endpoint (observeinc.com) uses a publicly trusted certificate, so this will work correctly without the flag.
  • The bearer token is still passed via $OBSERVE_MOBILE_TOKEN (environment variable), not hardcoded — good practice.
  • All three curl call sites are consistently updated, so there are no stragglers left using the insecure flag.

Comment thread apps/postProcessTestRun.bash
curl -k "https://103443579803.collect.observeinc.com/v1/http" -H "Authorization: Bearer $OBSERVE_MOBILE_TOKEN" -H "Content-Type: application/json" -d "$payload"
curl "https://103443579803.collect.observeinc.com/v1/http" -H "Authorization: Bearer $OBSERVE_MOBILE_TOKEN" -H "Content-Type: application/json" -d "$payload"
fi
done < "$costFile" No newline at end of file
Copy link
Copy Markdown

@claude claude Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The file is missing a trailing newline. POSIX requires text files to end with a newline, and many tools (linters, git diff, wc -l) behave unexpectedly without one. A simple fix is to add a blank line after this last line.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

📊 Code Coverage Report

✅ Student

  • PR Coverage: 42.48%
  • Master Coverage: 42.48%
  • Delta: +0.00%

✅ Teacher

  • PR Coverage: 25.23%
  • Master Coverage: 25.23%
  • Delta: +0.00%

✅ Pandautils

  • PR Coverage: 24.10%
  • Master Coverage: 24.09%
  • Delta: +0.00%

📈 Overall Average

  • PR Coverage: 30.60%
  • Master Coverage: 30.60%
  • Delta: +0.00%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@hermannakos hermannakos hermannakos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kdeakinstructure @hermannakos