fix: disable hostname verification if connecting over an IP literal (#643)

kevcodez · darora · web-flow · commit f9ea21c939b5 · 2025-03-11T14:43:51.000+01:00
* fix: disable hostname verification if connecting over an IP literal

* Update util.test.ts

---------

Co-authored-by: Div Arora &lt;root@darora.com&gt;
diff --git a/src/internal/database/util.ts b/src/internal/database/util.ts
@@ -1,12 +1,13 @@
 import { logger } from '@internal/monitoring'
+import { ConnectionOptions } from 'tls'
 
 export function getSslSettings({
   connectionString,
   databaseSSLRootCert,
 }: {
   connectionString: string
   databaseSSLRootCert: string | undefined
-}): { ca: string } | undefined {
+}): ConnectionOptions | undefined {
   if (!databaseSSLRootCert) return undefined
 
   try {
@@ -15,7 +16,7 @@ export function getSslSettings({
     // in case the hostname is an IP address
     const url = new URL(connectionString)
     if (url.hostname && isIpAddress(url.hostname)) {
-      return undefined
+      return { ca: databaseSSLRootCert, rejectUnauthorized: false }
     }
   } catch (err) {
     // ignore to ensure this never breaks the connection in case of an invalid URL
diff --git a/src/test/database/util.test.ts b/src/test/database/util.test.ts
@@ -23,13 +23,13 @@ describe('database utils', () => {
       ).toBeUndefined()
     })
 
-    test('should return no SSL settings if hostname is an IP address', () => {
+    test('should return SSL settings if hostname is an IP address', () => {
       expect(
         getSslSettings({
           connectionString: 'postgres://foo:bar@1.2.3.4:5432/postgres',
           databaseSSLRootCert: '<cert>',
         })
-      ).toBeUndefined()
+      ).toStrictEqual({ ca: '<cert>', rejectUnauthorized: false })
     })
 
     test('should return SSL settings if hostname is not an IP address', () => {
