Skip to content

Commit 1317155

Browse files
github-actions[bot]github-actions[bot]
authored
fix: apply audit fixes
1 parent 8e1f639 commit 1317155

1 file changed

Lines changed: 24 additions & 1 deletion

File tree

dist/index.js

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9442,6 +9442,13 @@ catch (error) {
94429442
useNativeURL = error.code === "ERR_INVALID_URL";
94439443
}
94449444

9445+
// HTTP headers to drop across HTTP/HTTPS and domain boundaries
9446+
var sensitiveHeaders = [
9447+
"Authorization",
9448+
"Proxy-Authorization",
9449+
"Cookie",
9450+
];
9451+
94459452
// URL fields to preserve in copy operations
94469453
var preservedUrlFields = [
94479454
"auth",
@@ -9523,6 +9530,11 @@ function RedirectableRequest(options, responseCallback) {
95239530
}
95249531
};
95259532

9533+
// Create filter for sensitive HTTP headers
9534+
this._headerFilter = new RegExp("^(?:" +
9535+
sensitiveHeaders.concat(options.sensitiveHeaders).map(escapeRegex).join("|") +
9536+
")$", "i");
9537+
95269538
// Perform the first request
95279539
this._performRequest();
95289540
}
@@ -9706,6 +9718,9 @@ RedirectableRequest.prototype._sanitizeOptions = function (options) {
97069718
if (!options.headers) {
97079719
options.headers = {};
97089720
}
9721+
if (!isArray(options.sensitiveHeaders)) {
9722+
options.sensitiveHeaders = [];
9723+
}
97099724

97109725
// Since http.request treats host as an alias of hostname,
97119726
// but the url module interprets host as hostname plus port,
@@ -9888,7 +9903,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
98889903
redirectUrl.protocol !== "https:" ||
98899904
redirectUrl.host !== currentHost &&
98909905
!isSubdomain(redirectUrl.host, currentHost)) {
9891-
removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
9906+
removeMatchingHeaders(this._headerFilter, this._options.headers);
98929907
}
98939908

98949909
// Evaluate the beforeRedirect callback
@@ -10081,6 +10096,10 @@ function isSubdomain(subdomain, domain) {
1008110096
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
1008210097
}
1008310098

10099+
function isArray(value) {
10100+
return value instanceof Array;
10101+
}
10102+
1008410103
function isString(value) {
1008510104
return typeof value === "string" || value instanceof String;
1008610105
}
@@ -10097,6 +10116,10 @@ function isURL(value) {
1009710116
return URL && value instanceof URL;
1009810117
}
1009910118

10119+
function escapeRegex(regex) {
10120+
return regex.replace(/[\]\\/()*+?.$]/g, "\\$&");
10121+
}
10122+
1010010123
// Exports
1010110124
module.exports = wrap({ http: http, https: https });
1010210125
module.exports.wrap = wrap;

0 commit comments

Comments
 (0)