fix CVE-2022-0155 (#104)
* `npm audit fix` to fix CVE-2022-0155 * `npm run all` to apply the updates of dependencies
This commit is contained in:
Naoki Oketani
61
dist/index.js
vendored
61
dist/index.js
vendored
@@ -7681,7 +7681,7 @@ events.forEach(function (event) {
|
||||
// Error types with codes
|
||||
var RedirectionError = createErrorType(
|
||||
"ERR_FR_REDIRECTION_FAILURE",
|
||||
""
|
||||
"Redirected request failed"
|
||||
);
|
||||
var TooManyRedirectsError = createErrorType(
|
||||
"ERR_FR_TOO_MANY_REDIRECTS",
|
||||
@@ -7832,10 +7832,16 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) {
|
||||
|
||||
// Stops a timeout from triggering
|
||||
function clearTimer() {
|
||||
// Clear the timeout
|
||||
if (self._timeout) {
|
||||
clearTimeout(self._timeout);
|
||||
self._timeout = null;
|
||||
}
|
||||
|
||||
// Clean up all attached listeners
|
||||
self.removeListener("abort", clearTimer);
|
||||
self.removeListener("error", clearTimer);
|
||||
self.removeListener("response", clearTimer);
|
||||
if (callback) {
|
||||
self.removeListener("timeout", callback);
|
||||
}
|
||||
@@ -7859,8 +7865,9 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) {
|
||||
|
||||
// Clean up on events
|
||||
this.on("socket", destroyOnTimeout);
|
||||
this.once("response", clearTimer);
|
||||
this.once("error", clearTimer);
|
||||
this.on("abort", clearTimer);
|
||||
this.on("error", clearTimer);
|
||||
this.on("response", clearTimer);
|
||||
|
||||
return this;
|
||||
};
|
||||
@@ -8024,19 +8031,33 @@ RedirectableRequest.prototype._processResponse = function (response) {
|
||||
}
|
||||
|
||||
// Drop the Host header, as the redirect might lead to a different host
|
||||
var previousHostName = removeMatchingHeaders(/^host$/i, this._options.headers) ||
|
||||
url.parse(this._currentUrl).hostname;
|
||||
var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers);
|
||||
|
||||
// If the redirect is relative, carry over the host of the last request
|
||||
var currentUrlParts = url.parse(this._currentUrl);
|
||||
var currentHost = currentHostHeader || currentUrlParts.host;
|
||||
var currentUrl = /^\w+:/.test(location) ? this._currentUrl :
|
||||
url.format(Object.assign(currentUrlParts, { host: currentHost }));
|
||||
|
||||
// Determine the URL of the redirection
|
||||
var redirectUrl;
|
||||
try {
|
||||
redirectUrl = url.resolve(currentUrl, location);
|
||||
}
|
||||
catch (cause) {
|
||||
this.emit("error", new RedirectionError(cause));
|
||||
return;
|
||||
}
|
||||
|
||||
// Create the redirected request
|
||||
var redirectUrl = url.resolve(this._currentUrl, location);
|
||||
debug("redirecting to", redirectUrl);
|
||||
this._isRedirect = true;
|
||||
var redirectUrlParts = url.parse(redirectUrl);
|
||||
Object.assign(this._options, redirectUrlParts);
|
||||
|
||||
// Drop the Authorization header if redirecting to another host
|
||||
if (redirectUrlParts.hostname !== previousHostName) {
|
||||
removeMatchingHeaders(/^authorization$/i, this._options.headers);
|
||||
// Drop the confidential headers when redirecting to another domain
|
||||
if (!(redirectUrlParts.host === currentHost || isSubdomainOf(redirectUrlParts.host, currentHost))) {
|
||||
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
|
||||
}
|
||||
|
||||
// Evaluate the beforeRedirect callback
|
||||
@@ -8057,9 +8078,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
|
||||
this._performRequest();
|
||||
}
|
||||
catch (cause) {
|
||||
var error = new RedirectionError("Redirected request failed: " + cause.message);
|
||||
error.cause = cause;
|
||||
this.emit("error", error);
|
||||
this.emit("error", new RedirectionError(cause));
|
||||
}
|
||||
}
|
||||
else {
|
||||
@@ -8173,13 +8192,20 @@ function removeMatchingHeaders(regex, headers) {
|
||||
delete headers[header];
|
||||
}
|
||||
}
|
||||
return lastValue;
|
||||
return (lastValue === null || typeof lastValue === "undefined") ?
|
||||
undefined : String(lastValue).trim();
|
||||
}
|
||||
|
||||
function createErrorType(code, defaultMessage) {
|
||||
function CustomError(message) {
|
||||
function CustomError(cause) {
|
||||
Error.captureStackTrace(this, this.constructor);
|
||||
this.message = message || defaultMessage;
|
||||
if (!cause) {
|
||||
this.message = defaultMessage;
|
||||
}
|
||||
else {
|
||||
this.message = defaultMessage + ": " + cause.message;
|
||||
this.cause = cause;
|
||||
}
|
||||
}
|
||||
CustomError.prototype = new Error();
|
||||
CustomError.prototype.constructor = CustomError;
|
||||
@@ -8196,6 +8222,11 @@ function abortRequest(request) {
|
||||
request.abort();
|
||||
}
|
||||
|
||||
function isSubdomainOf(subdomain, domain) {
|
||||
const dot = subdomain.length - domain.length - 1;
|
||||
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
|
||||
}
|
||||
|
||||
// Exports
|
||||
module.exports = wrap({ http: http, https: https });
|
||||
module.exports.wrap = wrap;
|
||||
|
||||
Reference in New Issue
Block a user