Skip to content

Commit 6689be4

Browse files
joshmgrossjoshmgross
authored
Merge pull request #237 from actions/joshmgross/audit-fix
Update `node-fetch`
2 parents 41e1ab4 + d526c04 commit 6689be4

File tree

3 files changed

+44
-10
lines changed

3 files changed

+44
-10
lines changed

Diff for: .licenses/npm/node-fetch.dep.yml

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: dist/index.js

+29-3
Original file line numberDiff line numberDiff line change
@@ -7768,7 +7768,7 @@ Object.defineProperty(Response.prototype, Symbol.toStringTag, {
77687768
});
77697769

77707770
const INTERNALS$2 = Symbol('Request internals');
7771-
const URL = whatwgUrl.URL;
7771+
const URL = Url.URL || whatwgUrl.URL;
77727772

77737773
// fix an issue where "format", "parse" aren't a named export for node <10
77747774
const parse_url = Url.parse;
@@ -8031,9 +8031,17 @@ AbortError.prototype = Object.create(Error.prototype);
80318031
AbortError.prototype.constructor = AbortError;
80328032
AbortError.prototype.name = 'AbortError';
80338033

8034+
const URL$1 = Url.URL || whatwgUrl.URL;
8035+
80348036
// fix an issue where "PassThrough", "resolve" aren't a named export for node <10
80358037
const PassThrough$1 = Stream.PassThrough;
8036-
const resolve_url = Url.resolve;
8038+
8039+
const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
8040+
const orig = new URL$1(original).hostname;
8041+
const dest = new URL$1(destination).hostname;
8042+
8043+
return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
8044+
};
80378045

80388046
/**
80398047
* Fetch function
@@ -8121,7 +8129,19 @@ function fetch(url, opts) {
81218129
const location = headers.get('Location');
81228130

81238131
// HTTP fetch step 5.3
8124-
const locationURL = location === null ? null : resolve_url(request.url, location);
8132+
let locationURL = null;
8133+
try {
8134+
locationURL = location === null ? null : new URL$1(location, request.url).toString();
8135+
} catch (err) {
8136+
// error here can only be invalid URL in Location: header
8137+
// do not throw when options.redirect == manual
8138+
// let the user extract the errorneous redirect URL
8139+
if (request.redirect !== 'manual') {
8140+
reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
8141+
finalize();
8142+
return;
8143+
}
8144+
}
81258145

81268146
// HTTP fetch step 5.5
81278147
switch (request.redirect) {
@@ -8169,6 +8189,12 @@ function fetch(url, opts) {
81698189
size: request.size
81708190
};
81718191

8192+
if (!isDomainOrSubdomain(request.url, locationURL)) {
8193+
for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
8194+
requestOpts.headers.delete(name);
8195+
}
8196+
}
8197+
81728198
// HTTP-redirect fetch step 9
81738199
if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {
81748200
reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));

Diff for: package-lock.json

+14-6
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)