nna/npm-audit-action
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix CVE-2022-0155 (#104)

Browse Source 
* `npm audit fix` to fix CVE-2022-0155

* `npm run all` to apply the updates of dependencies
This commit is contained in:
Naoki Oketani
2022-01-15 18:28:01 +09:00
committed by GitHub
parent b58fe17512
commit f03c7d976f
2 changed files with 56 additions and 6553 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
dist/index.js vendored
View File

@@ -7681,7 +7681,7 @@ events.forEach(function (event) {
// Error types with codes // Error types with codes
var RedirectionError = createErrorType( var RedirectionError = createErrorType(
"ERR_FR_REDIRECTION_FAILURE", "ERR_FR_REDIRECTION_FAILURE",
"" "Redirected request failed"
); );
var TooManyRedirectsError = createErrorType( var TooManyRedirectsError = createErrorType(
"ERR_FR_TOO_MANY_REDIRECTS", "ERR_FR_TOO_MANY_REDIRECTS",
@@ -7832,10 +7832,16 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) {
// Stops a timeout from triggering // Stops a timeout from triggering
function clearTimer() { function clearTimer() {
// Clear the timeout
if (self._timeout) { if (self._timeout) {
clearTimeout(self._timeout); clearTimeout(self._timeout);
self._timeout = null; self._timeout = null;
} }
// Clean up all attached listeners
self.removeListener("abort", clearTimer);
self.removeListener("error", clearTimer);
self.removeListener("response", clearTimer);
if (callback) { if (callback) {
self.removeListener("timeout", callback); self.removeListener("timeout", callback);
} }
@@ -7859,8 +7865,9 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) {
// Clean up on events // Clean up on events
this.on("socket", destroyOnTimeout); this.on("socket", destroyOnTimeout);
this.once("response", clearTimer); this.on("abort", clearTimer);
this.once("error", clearTimer); this.on("error", clearTimer);
this.on("response", clearTimer);
return this; return this;
}; };
@@ -8024,19 +8031,33 @@ RedirectableRequest.prototype._processResponse = function (response) {
} }
// Drop the Host header, as the redirect might lead to a different host // Drop the Host header, as the redirect might lead to a different host
var previousHostName = removeMatchingHeaders(/^host$/i, this._options.headers) || var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers);
url.parse(this._currentUrl).hostname;
// If the redirect is relative, carry over the host of the last request
var currentUrlParts = url.parse(this._currentUrl);
var currentHost = currentHostHeader || currentUrlParts.host;
var currentUrl = /^\w+:/.test(location) ? this._currentUrl :
url.format(Object.assign(currentUrlParts, { host: currentHost }));
// Determine the URL of the redirection
var redirectUrl;
try {
redirectUrl = url.resolve(currentUrl, location);
}
catch (cause) {
this.emit("error", new RedirectionError(cause));
return;
}
// Create the redirected request // Create the redirected request
var redirectUrl = url.resolve(this._currentUrl, location);
debug("redirecting to", redirectUrl); debug("redirecting to", redirectUrl);
this._isRedirect = true; this._isRedirect = true;
var redirectUrlParts = url.parse(redirectUrl); var redirectUrlParts = url.parse(redirectUrl);
Object.assign(this._options, redirectUrlParts); Object.assign(this._options, redirectUrlParts);
// Drop the Authorization header if redirecting to another host // Drop the confidential headers when redirecting to another domain
if (redirectUrlParts.hostname !== previousHostName) { if (!(redirectUrlParts.host === currentHost || isSubdomainOf(redirectUrlParts.host, currentHost))) {
removeMatchingHeaders(/^authorization$/i, this._options.headers); removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
} }
// Evaluate the beforeRedirect callback // Evaluate the beforeRedirect callback
@@ -8057,9 +8078,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
this._performRequest(); this._performRequest();
} }
catch (cause) { catch (cause) {
var error = new RedirectionError("Redirected request failed: " + cause.message); this.emit("error", new RedirectionError(cause));
error.cause = cause;
this.emit("error", error);
} }
} }
else { else {
@@ -8173,13 +8192,20 @@ function removeMatchingHeaders(regex, headers) {
delete headers[header]; delete headers[header];
} }
} }
return lastValue; return (lastValue === null || typeof lastValue === "undefined") ?
undefined : String(lastValue).trim();
} }
function createErrorType(code, defaultMessage) { function createErrorType(code, defaultMessage) {
function CustomError(message) { function CustomError(cause) {
Error.captureStackTrace(this, this.constructor); Error.captureStackTrace(this, this.constructor);
this.message = message || defaultMessage; if (!cause) {
this.message = defaultMessage;
}
else {
this.message = defaultMessage + ": " + cause.message;
this.cause = cause;
}
} }
CustomError.prototype = new Error(); CustomError.prototype = new Error();
CustomError.prototype.constructor = CustomError; CustomError.prototype.constructor = CustomError;
@@ -8196,6 +8222,11 @@ function abortRequest(request) {
request.abort(); request.abort();
} }
function isSubdomainOf(subdomain, domain) {
const dot = subdomain.length - domain.length - 1;
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
}
// Exports // Exports
module.exports = wrap({ http: http, https: https }); module.exports = wrap({ http: http, https: https });
module.exports.wrap = wrap; module.exports.wrap = wrap;

6548
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff