axios 0.30.3 → 0.31.1

package/lib/adapters/http.js

@@ -19,6 +19,7 @@ var platform = require('../platform');
 var fromDataURI = require('../helpers/fromDataURI');
 var stream = require('stream');
 var estimateDataURLDecodedBytes = require('../helpers/estimateDataURLDecodedBytes.js');
+var shouldBypassProxy = require('../helpers/shouldBypassProxy');
 
 var isHttps = /https:?/;
 
@@ -46,9 +47,11 @@ function setProxy(options, configProxy, location) {
   if (!proxy && proxy !== false) {
     var proxyUrl = getProxyForUrl(location);
     if (proxyUrl) {
-      proxy = url.parse(proxyUrl);
-      // replace 'host' since the proxy object is not a URL object
-      proxy.host = proxy.hostname;
+      if (!shouldBypassProxy(location)) {
+        proxy = url.parse(proxyUrl);
+        // replace 'host' since the proxy object is not a URL object
+        proxy.host = proxy.hostname;
+      }
     }
   }
   if (proxy) {
@@ -142,8 +145,9 @@ module.exports = function httpAdapter(config) {
       }
 
       try {
+        var envOption = utils.hasOwnProperty(config, 'env') ? config.env : undefined;
         convertedData = fromDataURI(config.url, responseType === 'blob', {
-          Blob: config.env && config.env.Blob
+          Blob: envOption && envOption.Blob
         });
       } catch (err) {
         throw AxiosError.from(err, AxiosError.ERR_BAD_REQUEST, config);
@@ -197,7 +201,8 @@ module.exports = function httpAdapter(config) {
     }
 
     // support for https://www.npmjs.com/package/form-data api
-    if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) {
+    if (utils.isFormData(data) && utils.isFunction(data.getHeaders) &&
+        data.getHeaders !== Object.prototype.getHeaders) {
       Object.assign(headers, data.getHeaders());
     } else if (data && !utils.isStream(data)) {
       if (Buffer.isBuffer(data)) {
@@ -273,13 +278,13 @@ module.exports = function httpAdapter(config) {
     } else {
       options.hostname = parsed.hostname;
       options.port = parsed.port;
-      setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path);
+      setProxy(options, config.proxy, protocol + '//' + parsed.host + options.path);
     }
 
     var transport;
     var isHttpsRequest = isHttps.test(options.protocol);
     options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
-    if (config.transport) {
+    if (utils.hasOwnProperty(config, 'transport') && config.transport) {
       transport = config.transport;
     } else if (config.maxRedirects === 0) {
       transport = isHttpsRequest ? https : http;
@@ -345,8 +350,47 @@ module.exports = function httpAdapter(config) {
       };
 
       if (responseType === 'stream') {
-        response.data = responseStream;
-        settle(resolve, reject, response);
+        // Enforce maxContentLength on streamed responses too (GHSA-vf2m-468p-8v99).
+        // Previously the stream path bypassed the size guard because the check only
+        // ran on the buffering branch.
+        if (config.maxContentLength > -1) {
+          var maxContentLength = config.maxContentLength;
+          var streamedBytes = 0;
+          var limiter = new stream.Transform({
+            transform: function transformChunk(chunk, encoding, callback) {
+              streamedBytes += chunk.length;
+              if (streamedBytes > maxContentLength) {
+                callback(new AxiosError(
+                  'maxContentLength size of ' + maxContentLength + ' exceeded',
+                  AxiosError.ERR_BAD_RESPONSE,
+                  config,
+                  lastRequest
+                ));
+                return;
+              }
+              callback(null, chunk);
+            }
+          });
+          limiter.on('error', function handleLimiterError() {
+            rejected = true;
+            responseStream.destroy();
+          });
+          responseStream.on('error', function forwardError(err) {
+            limiter.destroy(err);
+          });
+          response.data = limiter;
+          settle(resolve, reject, response);
+          // Defer piping via setImmediate so the caller's `.then` (a microtask)
+          // has run and attached any `error`/`data` listeners before chunks flow
+          // through the transform. `process.nextTick` would drain before those
+          // microtasks and lose the error event.
+          setImmediate(function startPipe() {
+            responseStream.pipe(limiter);
+          });
+        } else {
+          response.data = responseStream;
+          settle(resolve, reject, response);
+        }
       } else {
         var responseBuffer = [];
         var totalResponseBytes = 0;
@@ -471,7 +515,42 @@ module.exports = function httpAdapter(config) {
     if (utils.isStream(data)) {
       data.on('error', function handleStreamError(err) {
         reject(AxiosError.from(err, config, null, req));
-      }).pipe(req);
+      });
+
+      // follow-redirects enforces options.maxBodyLength for stream uploads, but the
+      // native http/https transport (used when maxRedirects === 0) does not.
+      // Count bytes ourselves so the limit is always honored (GHSA-5c9x-8gcm-mpgx).
+      var nativeTransport = transport === http || transport === https;
+      if (nativeTransport && config.maxBodyLength > -1) {
+        var maxBodyLength = config.maxBodyLength;
+        var uploadedBytes = 0;
+        var bodyLimiter = new stream.Transform({
+          transform: function transformChunk(chunk, encoding, callback) {
+            uploadedBytes += chunk.length;
+            if (uploadedBytes > maxBodyLength) {
+              callback(new AxiosError(
+                'Request body larger than maxBodyLength limit',
+                AxiosError.ERR_BAD_REQUEST,
+                config,
+                req
+              ));
+              return;
+            }
+            callback(null, chunk);
+          }
+        });
+        bodyLimiter.on('error', function handleLimiterError(err) {
+          if (rejected) return;
+          rejected = true;
+          try { data.unpipe(bodyLimiter); } catch (e) { /* noop */ }
+          try { bodyLimiter.unpipe(req); } catch (e) { /* noop */ }
+          req.destroy();
+          reject(err);
+        });
+        data.pipe(bodyLimiter).pipe(req);
+      } else {
+        data.pipe(req);
+      }
     } else {
       req.end(data);
     }

package/lib/adapters/xhr.js

@@ -18,7 +18,8 @@ module.exports = function xhrAdapter(config) {
     var requestData = config.data;
     var requestHeaders = config.headers;
     var responseType = config.responseType;
-    var withXSRFToken = config.withXSRFToken;
+    // Guard against prototype pollution (GHSA-xx6v-rp6x-q39c): only honor own properties.
+    var withXSRFToken = utils.hasOwnProperty(config, 'withXSRFToken') ? config.withXSRFToken : undefined;
     var onCanceled;
     function done() {
       if (config.cancelToken) {
@@ -146,8 +147,11 @@ module.exports = function xhrAdapter(config) {
     // Specifically not if we're in a web worker, or react-native.
     if (utils.isStandardBrowserEnv()) {
       // Add xsrf header
-      withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
-      if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
+      if (utils.isFunction(withXSRFToken)) {
+        withXSRFToken = withXSRFToken(config);
+      }
+      // Strict boolean check (GHSA-xx6v-rp6x-q39c): only `true` short-circuits the same-origin guard.
+      if (withXSRFToken === true || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
         // Add xsrf header
         var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
         if (xsrfValue) {

package/lib/core/AxiosError.js

@@ -66,7 +66,8 @@ var descriptors = {};
   'ERR_BAD_REQUEST',
   'ERR_CANCELED',
   'ERR_NOT_SUPPORT',
-  'ERR_INVALID_URL'
+  'ERR_INVALID_URL',
+  'ERR_FORM_DATA_DEPTH_EXCEEDED'
 // eslint-disable-next-line func-names
 ].forEach(function(code) {
   descriptors[code] = {value: code};

package/lib/core/dispatchRequest.js

@@ -6,6 +6,7 @@ var isCancel = require('../cancel/isCancel');
 var defaults = require('../defaults');
 var CanceledError = require('../cancel/CanceledError');
 var normalizeHeaderName = require('../helpers/normalizeHeaderName');
+var sanitizeHeaderValue = require('../helpers/sanitizeHeaderValue');
 
 /**
  * Throws a `CanceledError` if cancellation has been requested.
@@ -58,6 +59,10 @@ module.exports = function dispatchRequest(config) {
     }
   );
 
+  utils.forEach(config.headers, function sanitizeHeaderConfigValue(value, header) {
+    config.headers[header] = sanitizeHeaderValue(value);
+  });
+
   var adapter = config.adapter || defaults.adapter;
 
   return adapter(config).then(function onAdapterResolution(response) {

package/lib/core/mergeConfig.js

@@ -13,7 +13,17 @@ var utils = require('../utils');
 module.exports = function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
-  var config = {};
+  // Use a null-prototype object so a polluted Object.prototype cannot leak
+  // values (e.g. transport, adapter) into the returned config via inheritance.
+  var config = Object.create(null);
+
+  function getOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop) ? source[prop] : undefined;
+  }
+
+  function hasOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop);
+  }
 
   function getMergedValue(target, source) {
     if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
@@ -30,34 +40,34 @@ module.exports = function mergeConfig(config1, config2) {
 
   // eslint-disable-next-line consistent-return
   function mergeDeepProperties(prop) {
-    if (!utils.isUndefined(config2[prop])) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function valueFromConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function defaultToConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function mergeDirectKeys(prop) {
-    if (prop in config2) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (prop in config1) {
+    if (hasOwn(config2, prop)) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop)) {
       return getMergedValue(undefined, config1[prop]);
     }
   }

package/lib/defaults/index.js

@@ -89,17 +89,20 @@ var defaults = {
     var isFileList;
 
     if (isObjectPayload) {
+      var formSerializer = utils.hasOwnProperty(this, 'formSerializer') ? this.formSerializer : undefined;
+      var envOption = utils.hasOwnProperty(this, 'env') ? this.env : undefined;
+
       if (contentType.indexOf('application/x-www-form-urlencoded') !== -1) {
-        return toURLEncodedForm(data, this.formSerializer).toString();
+        return toURLEncodedForm(data, formSerializer).toString();
       }
 
       if ((isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) {
-        var _FormData = this.env && this.env.FormData;
+        var _FormData = envOption && envOption.FormData;
 
         return toFormData(
           isFileList ? {'files[]': data} : data,
           _FormData && new _FormData(),
-          this.formSerializer
+          formSerializer
         );
       }
     }

package/lib/env/data.js

@@ -1,3 +1,3 @@
 module.exports = {
-  version: "0.30.3",
-};
+  "version": "0.31.1"
+};

package/lib/helpers/AxiosURLSearchParams.js

@@ -3,16 +3,17 @@
 var toFormData = require('./toFormData');
 
 function encode(str) {
+  // Do not map `%00` back to a raw null byte (GHSA-xhjh-pmcv-23jw): that reversed
+  // the safe percent-encoding from encodeURIComponent and enabled null byte injection.
   var charMap = {
     '!': '%21',
     "'": '%27',
     '(': '%28',
     ')': '%29',
     '~': '%7E',
-    '%20': '+',
-    '%00': '\x00'
+    '%20': '+'
   };
-  return encodeURIComponent(str).replace(/[!'\(\)~]|%20|%00/g, function replacer(match) {
+  return encodeURIComponent(str).replace(/[!'\(\)~]|%20/g, function replacer(match) {
     return charMap[match];
   });
 }

package/lib/helpers/sanitizeHeaderValue.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var utils = require('../utils');
+
+var INVALID_HEADER_VALUE_RE = /[^\x09\x20-\x7E\x80-\xFF]/g;
+var BOUNDARY_WHITESPACE_RE = /^[\x09\x20]+|[\x09\x20]+$/g;
+
+function sanitizeHeaderValue(value) {
+  if (value === false || value == null) {
+    return value;
+  }
+
+  if (utils.isArray(value)) {
+    return value.map(sanitizeHeaderValue);
+  }
+
+  return String(value)
+    .replace(INVALID_HEADER_VALUE_RE, '')
+    .replace(BOUNDARY_WHITESPACE_RE, '');
+}
+
+module.exports = sanitizeHeaderValue;

package/lib/helpers/shouldBypassProxy.js

@@ -0,0 +1,133 @@
+'use strict';
+
+var URL = require('url').URL;
+
+var DEFAULT_PORTS = {
+  http: 80,
+  https: 443,
+  ws: 80,
+  wss: 443,
+  ftp: 21
+};
+
+function parseNoProxyEntry(entry) {
+  var entryHost = entry;
+  var entryPort = 0;
+
+  if (entryHost.charAt(0) === '[') {
+    var bracketIndex = entryHost.indexOf(']');
+
+    if (bracketIndex !== -1) {
+      var host = entryHost.slice(1, bracketIndex);
+      var rest = entryHost.slice(bracketIndex + 1);
+
+      if (rest.charAt(0) === ':' && /^\d+$/.test(rest.slice(1))) {
+        entryPort = parseInt(rest.slice(1), 10);
+      }
+
+      return [host, entryPort];
+    }
+  }
+
+  var firstColon = entryHost.indexOf(':');
+  var lastColon = entryHost.lastIndexOf(':');
+
+  if (firstColon !== -1 && firstColon === lastColon && /^\d+$/.test(entryHost.slice(lastColon + 1))) {
+    entryPort = parseInt(entryHost.slice(lastColon + 1), 10);
+    entryHost = entryHost.slice(0, lastColon);
+  }
+
+  return [entryHost, entryPort];
+}
+
+function normalizeNoProxyHost(hostname) {
+  if (!hostname) {
+    return hostname;
+  }
+
+  if (hostname.charAt(0) === '[' && hostname.charAt(hostname.length - 1) === ']') {
+    hostname = hostname.slice(1, -1);
+  }
+
+  return hostname.replace(/\.+$/, '');
+}
+
+function isLoopbackIPv4(hostname) {
+  var octets = hostname.split('.');
+
+  if (octets.length !== 4) {
+    return false;
+  }
+
+  if (octets[0] !== '127') {
+    return false;
+  }
+
+  return octets.every(function testOctet(octet) {
+    return /^\d+$/.test(octet) && Number(octet) >= 0 && Number(octet) <= 255;
+  });
+}
+
+function isLoopbackHost(hostname) {
+  return hostname === 'localhost' || hostname === '::1' || isLoopbackIPv4(hostname);
+}
+
+module.exports = function shouldBypassProxy(location) {
+  var parsed;
+
+  try {
+    parsed = new URL(location);
+  } catch (err) {
+    return false;
+  }
+
+  var noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();
+
+  if (!noProxy) {
+    return false;
+  }
+
+  if (noProxy === '*') {
+    return true;
+  }
+
+  var protocol = parsed.protocol.split(':', 1)[0];
+  var port = parsed.port !== '' ? parseInt(parsed.port, 10) : (DEFAULT_PORTS[protocol] || 0);
+  var hostname = normalizeNoProxyHost(parsed.hostname.toLowerCase());
+
+  return noProxy.split(/[\s,]+/).some(function testNoProxyEntry(entry) {
+    if (!entry) {
+      return false;
+    }
+
+    var entryParts = parseNoProxyEntry(entry);
+    var entryHost = normalizeNoProxyHost(entryParts[0]);
+    var entryPort = entryParts[1];
+
+    if (entryHost === '*') {
+      return true;
+    }
+
+    if (!entryHost) {
+      return false;
+    }
+
+    if (entryPort && entryPort !== port) {
+      return false;
+    }
+
+    if (isLoopbackHost(hostname) && isLoopbackHost(entryHost)) {
+      return true;
+    }
+
+    if (entryHost.charAt(0) === '*') {
+      entryHost = entryHost.slice(1);
+    }
+
+    if (entryHost.charAt(0) === '.') {
+      return hostname.slice(-entryHost.length) === entryHost;
+    }
+
+    return hostname === entryHost;
+  });
+};

package/lib/helpers/toFormData.js

@@ -69,6 +69,7 @@ function toFormData(obj, formData, options) {
   var dots = options.dots;
   var indexes = options.indexes;
   var _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
+  var maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
   var useBlob = _Blob && isSpecCompliant(formData);
 
   if (!utils.isFunction(visitor)) {
@@ -145,9 +146,19 @@ function toFormData(obj, formData, options) {
     isVisitable: isVisitable
   });
 
-  function build(value, path) {
+  function build(value, path, depth) {
     if (utils.isUndefined(value)) return;
 
+    // eslint-disable-next-line no-param-reassign
+    depth = depth || 0;
+
+    if (depth > maxDepth) {
+      throw new AxiosError(
+        'Maximum object depth of ' + maxDepth + ' exceeded (got ' + depth + ' levels)',
+        AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
+      );
+    }
+
     if (stack.indexOf(value) !== -1) {
       throw Error('Circular reference detected in ' + path.join('.'));
     }
@@ -160,7 +171,7 @@ function toFormData(obj, formData, options) {
       );
 
       if (result === true) {
-        build(el, path ? path.concat(key) : [key]);
+        build(el, path ? path.concat(key) : [key], depth + 1);
       }
     });
 
@@ -171,7 +182,7 @@ function toFormData(obj, formData, options) {
     throw new TypeError('data must be an object');
   }
 
-  build(obj);
+  build(obj, null, 0);
 
   return formData;
 }

package/lib/utils.js

@@ -131,7 +131,15 @@ function isPlainObject(val) {
  * @return {boolean} True if value is a empty Object, otherwise false
  */
 function isEmptyObject(val) {
-  return val && Object.keys(val).length === 0 && Object.getPrototypeOf(val) === Object.prototype;
+  if (!isPlainObject(val)) {
+    return false;
+  }
+  for (var key in val) {
+    if (Object.prototype.hasOwnProperty.call(val, key)) {
+      return false;
+    }
+  }
+  return true;
 }
 
 /**
@@ -198,11 +206,17 @@ function isStream(val) {
  */
 function isFormData(thing) {
   var pattern = '[object FormData]';
-  return thing && (
-    (typeof FormData === 'function' && thing instanceof FormData) ||
-    toString.call(thing) === pattern ||
-    (isFunction(thing.toString) && thing.toString() === pattern)
-  );
+  if (!thing) return false;
+  if (typeof FormData === 'function' && thing instanceof FormData) return true;
+  // Reject non-objects (strings, numbers, booleans) up front — Object.getPrototypeOf
+  // throws a TypeError on primitives in ES5 environments.
+  if (!isObject(thing)) return false;
+  // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData (GHSA-6chq-wfr3-2hj9).
+  var proto = Object.getPrototypeOf(thing);
+  if (!proto || proto === Object.prototype) return false;
+  if (!isFunction(thing.append)) return false;
+  return toString.call(thing) === pattern ||
+    (isFunction(thing.toString) && thing.toString() === pattern);
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "axios",
-  "version": "0.30.3",
+  "version": "0.31.1",
   "description": "Promise based HTTP client for the browser and node.js",
   "main": "index.js",
   "types": "index.d.ts",