Skip to content

fix: default MSSQL SSL mode to disable and handle missing SSL config (#41627) #41818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xiyaoeva wants to merge 1 commit into
base: release
Choose a base branch
from
+5 −10
Open

fix: default MSSQL SSL mode to disable and handle missing SSL config (#41627) #41818

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 4 additions & 9 deletions app/server/appsmith-plugins/mssqlPlugin/src/main/java/com/external/plugins/MssqlPlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,20 +643,15 @@ private static HikariDataSource createConnectionPool(
private static void addSslOptionsToUrlBuilder(
DatasourceConfiguration datasourceConfiguration, StringBuilder urlBuilder) throws AppsmithPluginException {
/*
* - Ideally, it is never expected to be null because the SSL dropdown is set to a initial value.
* - When SSL configuration is absent, default to disabling encryption so that
* connections to servers that do not require encryption work out of the box.
*/
if (datasourceConfiguration.getConnection() == null
|| datasourceConfiguration.getConnection().getSsl() == null
|| datasourceConfiguration.getConnection().getSsl().getAuthType() == null) {
throw new AppsmithPluginException(
AppsmithPluginError.PLUGIN_ERROR,
"Appsmith server has failed to fetch SSL configuration from datasource configuration form. "
+ "Please reach out to Appsmith customer support to resolve this.");
urlBuilder.append("encrypt=false;");
return;
Comment on lines 649 to +653
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't silently downgrade partially populated SSL configs.

Defaulting to encrypt=false when the entire SSL block is absent makes sense here, but doing the same for ssl.authType == null can turn a malformed or partially migrated secure config into plaintext without any signal.

Suggested adjustment 
-        if (datasourceConfiguration.getConnection() == null
-                || datasourceConfiguration.getConnection().getSsl() == null
-                || datasourceConfiguration.getConnection().getSsl().getAuthType() == null) {
+        if (datasourceConfiguration.getConnection() == null
+                || datasourceConfiguration.getConnection().getSsl() == null) {
             urlBuilder.append("encrypt=false;");
             return;
         }
+        if (datasourceConfiguration.getConnection().getSsl().getAuthType() == null) {
+            throw new AppsmithPluginException(
+                    AppsmithPluginError.PLUGIN_ERROR,
+                    "Missing MSSQL SSL mode in datasource configuration.");
+        }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (datasourceConfiguration.getConnection() == null
|| datasourceConfiguration.getConnection().getSsl() == null
|| datasourceConfiguration.getConnection().getSsl().getAuthType() == null) {
throw new AppsmithPluginException(
AppsmithPluginError.PLUGIN_ERROR,
"Appsmith server has failed to fetch SSL configuration from datasource configuration form. "
+ "Please reach out to Appsmith customer support to resolve this.");
urlBuilder.append("encrypt=false;");
return;
if (datasourceConfiguration.getConnection() == null
|| datasourceConfiguration.getConnection().getSsl() == null) {
urlBuilder.append("encrypt=false;");
return;
}
if (datasourceConfiguration.getConnection().getSsl().getAuthType() == null) {
throw new AppsmithPluginException(
AppsmithPluginError.PLUGIN_ERROR,
"Missing MSSQL SSL mode in datasource configuration.");
}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@app/server/appsmith-plugins/mssqlPlugin/src/main/java/com/external/plugins/MssqlPlugin.java`
around lines 649 - 653, The code currently treats a missing ssl.authType the
same as a missing SSL block and silently appends "encrypt=false" to urlBuilder;
instead, only default to "encrypt=false" when the entire SSL block is absent
(datasourceConfiguration.getConnection() == null || getSsl() == null). If
getSsl() is present but getAuthType() is null, do not overwrite to
plaintext—either throw an IllegalArgumentException or log an explicit error and
abort building the URL so callers can correct the malformed/partial config;
update the logic around datasourceConfiguration.getConnection(),
datasourceConfiguration.getConnection().getSsl(),
datasourceConfiguration.getConnection().getSsl().getAuthType(), and the
urlBuilder usage accordingly so partially populated SSL configs are rejected
rather than silently downgraded.

}

/*
* - By default, the driver configures SSL in the no verify mode.
*/
SSLDetails.AuthType sslAuthType =
datasourceConfiguration.getConnection().getSsl().getAuthType();
switch (sslAuthType) {
Expand Down
2 changes: 1 addition & 1 deletion app/server/appsmith-plugins/mssqlPlugin/src/main/resources/form.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@
"label": "SSL mode",
"configProperty": "datasourceConfiguration.connection.ssl.authType",
"controlType": "DROP_DOWN",
"initialValue": "NO_VERIFY",
"initialValue": "DISABLE",
"options": [
{
"label": "Disable",
Expand Down