axios 0.31.0 → 0.31.1

package/lib/adapters/http.js

@@ -145,8 +145,9 @@ module.exports = function httpAdapter(config) {
       }
 
       try {
+        var envOption = utils.hasOwnProperty(config, 'env') ? config.env : undefined;
         convertedData = fromDataURI(config.url, responseType === 'blob', {
-          Blob: config.env && config.env.Blob
+          Blob: envOption && envOption.Blob
         });
       } catch (err) {
         throw AxiosError.from(err, AxiosError.ERR_BAD_REQUEST, config);
@@ -200,7 +201,8 @@ module.exports = function httpAdapter(config) {
     }
 
     // support for https://www.npmjs.com/package/form-data api
-    if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) {
+    if (utils.isFormData(data) && utils.isFunction(data.getHeaders) &&
+        data.getHeaders !== Object.prototype.getHeaders) {
       Object.assign(headers, data.getHeaders());
     } else if (data && !utils.isStream(data)) {
       if (Buffer.isBuffer(data)) {
@@ -282,7 +284,7 @@ module.exports = function httpAdapter(config) {
     var transport;
     var isHttpsRequest = isHttps.test(options.protocol);
     options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
-    if (config.transport) {
+    if (utils.hasOwnProperty(config, 'transport') && config.transport) {
       transport = config.transport;
     } else if (config.maxRedirects === 0) {
       transport = isHttpsRequest ? https : http;
@@ -348,8 +350,47 @@ module.exports = function httpAdapter(config) {
       };
 
       if (responseType === 'stream') {
-        response.data = responseStream;
-        settle(resolve, reject, response);
+        // Enforce maxContentLength on streamed responses too (GHSA-vf2m-468p-8v99).
+        // Previously the stream path bypassed the size guard because the check only
+        // ran on the buffering branch.
+        if (config.maxContentLength > -1) {
+          var maxContentLength = config.maxContentLength;
+          var streamedBytes = 0;
+          var limiter = new stream.Transform({
+            transform: function transformChunk(chunk, encoding, callback) {
+              streamedBytes += chunk.length;
+              if (streamedBytes > maxContentLength) {
+                callback(new AxiosError(
+                  'maxContentLength size of ' + maxContentLength + ' exceeded',
+                  AxiosError.ERR_BAD_RESPONSE,
+                  config,
+                  lastRequest
+                ));
+                return;
+              }
+              callback(null, chunk);
+            }
+          });
+          limiter.on('error', function handleLimiterError() {
+            rejected = true;
+            responseStream.destroy();
+          });
+          responseStream.on('error', function forwardError(err) {
+            limiter.destroy(err);
+          });
+          response.data = limiter;
+          settle(resolve, reject, response);
+          // Defer piping via setImmediate so the caller's `.then` (a microtask)
+          // has run and attached any `error`/`data` listeners before chunks flow
+          // through the transform. `process.nextTick` would drain before those
+          // microtasks and lose the error event.
+          setImmediate(function startPipe() {
+            responseStream.pipe(limiter);
+          });
+        } else {
+          response.data = responseStream;
+          settle(resolve, reject, response);
+        }
       } else {
         var responseBuffer = [];
         var totalResponseBytes = 0;
@@ -474,7 +515,42 @@ module.exports = function httpAdapter(config) {
     if (utils.isStream(data)) {
       data.on('error', function handleStreamError(err) {
         reject(AxiosError.from(err, config, null, req));
-      }).pipe(req);
+      });
+
+      // follow-redirects enforces options.maxBodyLength for stream uploads, but the
+      // native http/https transport (used when maxRedirects === 0) does not.
+      // Count bytes ourselves so the limit is always honored (GHSA-5c9x-8gcm-mpgx).
+      var nativeTransport = transport === http || transport === https;
+      if (nativeTransport && config.maxBodyLength > -1) {
+        var maxBodyLength = config.maxBodyLength;
+        var uploadedBytes = 0;
+        var bodyLimiter = new stream.Transform({
+          transform: function transformChunk(chunk, encoding, callback) {
+            uploadedBytes += chunk.length;
+            if (uploadedBytes > maxBodyLength) {
+              callback(new AxiosError(
+                'Request body larger than maxBodyLength limit',
+                AxiosError.ERR_BAD_REQUEST,
+                config,
+                req
+              ));
+              return;
+            }
+            callback(null, chunk);
+          }
+        });
+        bodyLimiter.on('error', function handleLimiterError(err) {
+          if (rejected) return;
+          rejected = true;
+          try { data.unpipe(bodyLimiter); } catch (e) { /* noop */ }
+          try { bodyLimiter.unpipe(req); } catch (e) { /* noop */ }
+          req.destroy();
+          reject(err);
+        });
+        data.pipe(bodyLimiter).pipe(req);
+      } else {
+        data.pipe(req);
+      }
     } else {
       req.end(data);
     }

package/lib/adapters/xhr.js

@@ -18,7 +18,8 @@ module.exports = function xhrAdapter(config) {
     var requestData = config.data;
     var requestHeaders = config.headers;
     var responseType = config.responseType;
-    var withXSRFToken = config.withXSRFToken;
+    // Guard against prototype pollution (GHSA-xx6v-rp6x-q39c): only honor own properties.
+    var withXSRFToken = utils.hasOwnProperty(config, 'withXSRFToken') ? config.withXSRFToken : undefined;
     var onCanceled;
     function done() {
       if (config.cancelToken) {
@@ -146,8 +147,11 @@ module.exports = function xhrAdapter(config) {
     // Specifically not if we're in a web worker, or react-native.
     if (utils.isStandardBrowserEnv()) {
       // Add xsrf header
-      withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
-      if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
+      if (utils.isFunction(withXSRFToken)) {
+        withXSRFToken = withXSRFToken(config);
+      }
+      // Strict boolean check (GHSA-xx6v-rp6x-q39c): only `true` short-circuits the same-origin guard.
+      if (withXSRFToken === true || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
         // Add xsrf header
         var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
         if (xsrfValue) {

package/lib/core/AxiosError.js

@@ -66,7 +66,8 @@ var descriptors = {};
   'ERR_BAD_REQUEST',
   'ERR_CANCELED',
   'ERR_NOT_SUPPORT',
-  'ERR_INVALID_URL'
+  'ERR_INVALID_URL',
+  'ERR_FORM_DATA_DEPTH_EXCEEDED'
 // eslint-disable-next-line func-names
 ].forEach(function(code) {
   descriptors[code] = {value: code};

package/lib/core/mergeConfig.js

@@ -13,7 +13,17 @@ var utils = require('../utils');
 module.exports = function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
-  var config = {};
+  // Use a null-prototype object so a polluted Object.prototype cannot leak
+  // values (e.g. transport, adapter) into the returned config via inheritance.
+  var config = Object.create(null);
+
+  function getOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop) ? source[prop] : undefined;
+  }
+
+  function hasOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop);
+  }
 
   function getMergedValue(target, source) {
     if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
@@ -30,34 +40,34 @@ module.exports = function mergeConfig(config1, config2) {
 
   // eslint-disable-next-line consistent-return
   function mergeDeepProperties(prop) {
-    if (!utils.isUndefined(config2[prop])) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function valueFromConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function defaultToConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function mergeDirectKeys(prop) {
-    if (prop in config2) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (prop in config1) {
+    if (hasOwn(config2, prop)) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop)) {
       return getMergedValue(undefined, config1[prop]);
     }
   }

package/lib/defaults/index.js

@@ -89,17 +89,20 @@ var defaults = {
     var isFileList;
 
     if (isObjectPayload) {
+      var formSerializer = utils.hasOwnProperty(this, 'formSerializer') ? this.formSerializer : undefined;
+      var envOption = utils.hasOwnProperty(this, 'env') ? this.env : undefined;
+
       if (contentType.indexOf('application/x-www-form-urlencoded') !== -1) {
-        return toURLEncodedForm(data, this.formSerializer).toString();
+        return toURLEncodedForm(data, formSerializer).toString();
       }
 
       if ((isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) {
-        var _FormData = this.env && this.env.FormData;
+        var _FormData = envOption && envOption.FormData;
 
         return toFormData(
           isFileList ? {'files[]': data} : data,
           _FormData && new _FormData(),
-          this.formSerializer
+          formSerializer
         );
       }
     }

package/lib/env/data.js

@@ -1,3 +1,3 @@
 module.exports = {
-  "version": "0.31.0"
+  "version": "0.31.1"
 };

package/lib/helpers/AxiosURLSearchParams.js

@@ -3,16 +3,17 @@
 var toFormData = require('./toFormData');
 
 function encode(str) {
+  // Do not map `%00` back to a raw null byte (GHSA-xhjh-pmcv-23jw): that reversed
+  // the safe percent-encoding from encodeURIComponent and enabled null byte injection.
   var charMap = {
     '!': '%21',
     "'": '%27',
     '(': '%28',
     ')': '%29',
     '~': '%7E',
-    '%20': '+',
-    '%00': '\x00'
+    '%20': '+'
   };
-  return encodeURIComponent(str).replace(/[!'\(\)~]|%20|%00/g, function replacer(match) {
+  return encodeURIComponent(str).replace(/[!'\(\)~]|%20/g, function replacer(match) {
     return charMap[match];
   });
 }

package/lib/helpers/toFormData.js

@@ -69,6 +69,7 @@ function toFormData(obj, formData, options) {
   var dots = options.dots;
   var indexes = options.indexes;
   var _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
+  var maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
   var useBlob = _Blob && isSpecCompliant(formData);
 
   if (!utils.isFunction(visitor)) {
@@ -145,9 +146,19 @@ function toFormData(obj, formData, options) {
     isVisitable: isVisitable
   });
 
-  function build(value, path) {
+  function build(value, path, depth) {
     if (utils.isUndefined(value)) return;
 
+    // eslint-disable-next-line no-param-reassign
+    depth = depth || 0;
+
+    if (depth > maxDepth) {
+      throw new AxiosError(
+        'Maximum object depth of ' + maxDepth + ' exceeded (got ' + depth + ' levels)',
+        AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
+      );
+    }
+
     if (stack.indexOf(value) !== -1) {
       throw Error('Circular reference detected in ' + path.join('.'));
     }
@@ -160,7 +171,7 @@ function toFormData(obj, formData, options) {
       );
 
       if (result === true) {
-        build(el, path ? path.concat(key) : [key]);
+        build(el, path ? path.concat(key) : [key], depth + 1);
       }
     });
 
@@ -171,7 +182,7 @@ function toFormData(obj, formData, options) {
     throw new TypeError('data must be an object');
   }
 
-  build(obj);
+  build(obj, null, 0);
 
   return formData;
 }

package/lib/utils.js

@@ -206,11 +206,17 @@ function isStream(val) {
  */
 function isFormData(thing) {
   var pattern = '[object FormData]';
-  return thing && (
-    (typeof FormData === 'function' && thing instanceof FormData) ||
-    toString.call(thing) === pattern ||
-    (isFunction(thing.toString) && thing.toString() === pattern)
-  );
+  if (!thing) return false;
+  if (typeof FormData === 'function' && thing instanceof FormData) return true;
+  // Reject non-objects (strings, numbers, booleans) up front — Object.getPrototypeOf
+  // throws a TypeError on primitives in ES5 environments.
+  if (!isObject(thing)) return false;
+  // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData (GHSA-6chq-wfr3-2hj9).
+  var proto = Object.getPrototypeOf(thing);
+  if (!proto || proto === Object.prototype) return false;
+  if (!isFunction(thing.append)) return false;
+  return toString.call(thing) === pattern ||
+    (isFunction(thing.toString) && thing.toString() === pattern);
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "axios",
-  "version": "0.31.0",
+  "version": "0.31.1",
   "description": "Promise based HTTP client for the browser and node.js",
   "main": "index.js",
   "types": "index.d.ts",
@@ -97,4 +97,4 @@
       "threshold": "5kB"
     }
   ]
-}
+}