[misc] Prevent password transmission over untrusted SSL with self-signed certificates for caching_sha2_password

rusher · rusher · commit 2d5db1da9b64 · 2026-02-16T18:32:55.000+01:00
diff --git a/lib/cmd/handshake/auth/caching-sha2-password-auth.js b/lib/cmd/handshake/auth/caching-sha2-password-auth.js
@@ -62,6 +62,16 @@ class CachingSha2PasswordAuth extends PluginAuth {
 
           case 0x04:
             if (this.isSecureConnection()) {
+              if (info.requireValidCert && info.selfSignedCertificate) {
+                return this.throwError(
+                  Errors.createFatalError(
+                    'cannot send a `caching_sha2_password` and SSL without providing server certificates, cannot send password in clear on an untrusted SSL connection',
+                    Errors.client.ER_SELF_SIGNED_SHA256,
+                    info
+                  ),
+                  info
+                );
+              }
               // Secure connection, sending password in clear
               out.startPacket(this);
               out.writeString(opts.password);
diff --git a/lib/connection.js b/lib/connection.js
@@ -1375,8 +1375,14 @@ class Connection extends EventEmitter {
     // https://github.com/denoland/deno/issues/30892
     if (typeof Deno !== 'undefined') {
       info.requireValidCert = false;
-    } else if (info.isMariaDB()) {
-      // for MariaDB servers, permit self-signed certificated
+    } else if (info.requireValidCert &&
+      info.isMariaDB() &&
+      !this.opts.socketPath &&
+      Boolean(this.opts.password) &&
+      !(this.opts.ssl && this.opts.ssl.ca)
+    ) {
+      // for MariaDB servers without local socket, with a password, and no server certificates provided:
+      // permit self-signed certificates at TLS level,
       // this will be replaced by fingerprint validation with ending OK_PACKET
       baseConf['rejectUnauthorized'] = false;
     }
diff --git a/lib/misc/errors.js b/lib/misc/errors.js
@@ -153,7 +153,8 @@ export const client = {
   ER_TLS_IDENTITY_ERROR: 45059,
   ER_POOL_NOT_INITIALIZED: 45060,
   ER_POOL_NO_CONNECTION: 45061,
-  ER_SELF_SIGNED_BAD_PLUGIN: 45062
+  ER_SELF_SIGNED_BAD_PLUGIN: 45062,
+  ER_SELF_SIGNED_SHA256: 45063
 };
 
 export function getClientErrorKey(errno) {
