Skip to content

Commit 1287763

Browse files
anurag-stepsecurityanurag-stepsecurity
authored
Merge pull request #46 from step-security/npm-audit-fix
fix: Security updates
2 parents 452e5dd + 091f071 commit 1287763

2 files changed

Lines changed: 30 additions & 7 deletions

File tree

dist/index.js

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9167,6 +9167,13 @@ catch (error) {
91679167
useNativeURL = error.code === "ERR_INVALID_URL";
91689168
}
91699169

9170+
// HTTP headers to drop across HTTP/HTTPS and domain boundaries
9171+
var sensitiveHeaders = [
9172+
"Authorization",
9173+
"Proxy-Authorization",
9174+
"Cookie",
9175+
];
9176+
91709177
// URL fields to preserve in copy operations
91719178
var preservedUrlFields = [
91729179
"auth",
@@ -9248,6 +9255,11 @@ function RedirectableRequest(options, responseCallback) {
92489255
}
92499256
};
92509257

9258+
// Create filter for sensitive HTTP headers
9259+
this._headerFilter = new RegExp("^(?:" +
9260+
sensitiveHeaders.concat(options.sensitiveHeaders).map(escapeRegex).join("|") +
9261+
")$", "i");
9262+
92519263
// Perform the first request
92529264
this._performRequest();
92539265
}
@@ -9431,6 +9443,9 @@ RedirectableRequest.prototype._sanitizeOptions = function (options) {
94319443
if (!options.headers) {
94329444
options.headers = {};
94339445
}
9446+
if (!isArray(options.sensitiveHeaders)) {
9447+
options.sensitiveHeaders = [];
9448+
}
94349449

94359450
// Since http.request treats host as an alias of hostname,
94369451
// but the url module interprets host as hostname plus port,
@@ -9613,7 +9628,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
96139628
redirectUrl.protocol !== "https:" ||
96149629
redirectUrl.host !== currentHost &&
96159630
!isSubdomain(redirectUrl.host, currentHost)) {
9616-
removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
9631+
removeMatchingHeaders(this._headerFilter, this._options.headers);
96179632
}
96189633

96199634
// Evaluate the beforeRedirect callback
@@ -9806,6 +9821,10 @@ function isSubdomain(subdomain, domain) {
98069821
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
98079822
}
98089823

9824+
function isArray(value) {
9825+
return value instanceof Array;
9826+
}
9827+
98099828
function isString(value) {
98109829
return typeof value === "string" || value instanceof String;
98119830
}
@@ -9822,6 +9841,10 @@ function isURL(value) {
98229841
return URL && value instanceof URL;
98239842
}
98249843

9844+
function escapeRegex(regex) {
9845+
return regex.replace(/[\]\\/()*+?.$]/g, "\\$&");
9846+
}
9847+
98259848
// Exports
98269849
module.exports = wrap({ http: http, https: https });
98279850
module.exports.wrap = wrap;

package-lock.json

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)