axios 0.31.0 → 0.32.0

package/index.d.ts

@@ -154,11 +154,14 @@ export interface AxiosRequestConfig<D = any> {
   onUploadProgress?: (progressEvent: ProgressEvent) => void;
   onDownloadProgress?: (progressEvent: ProgressEvent) => void;
   maxContentLength?: number;
+  formDataHeaderPolicy?: 'legacy' | 'content-only';
+  redact?: string[];
   validateStatus?: ((status: number) => boolean) | null;
   maxBodyLength?: number;
   maxRedirects?: number;
   beforeRedirect?: (options: Record<string, any>, responseDetails: {headers: Record<string, string>}) => void;
   socketPath?: string | null;
+  allowedSocketPaths?: string | string[] | null;
   httpAgent?: any;
   httpsAgent?: any;
   proxy?: AxiosProxyConfig | false;
@@ -231,6 +234,7 @@ export class AxiosError<T = unknown, D = any> extends Error {
   static readonly ERR_BAD_REQUEST = "ERR_BAD_REQUEST";
   static readonly ERR_NOT_SUPPORT = "ERR_NOT_SUPPORT";
   static readonly ERR_INVALID_URL = "ERR_INVALID_URL";
+  static readonly ERR_FORM_DATA_DEPTH_EXCEEDED = "ERR_FORM_DATA_DEPTH_EXCEEDED";
   static readonly ERR_CANCELED = "ERR_CANCELED";
   static readonly ECONNABORTED = "ECONNABORTED";
   static readonly ETIMEDOUT = "ETIMEDOUT";

package/lib/adapters/http.js

@@ -10,6 +10,7 @@ var https = require('https');
 var httpFollow = require('follow-redirects/http');
 var httpsFollow = require('follow-redirects/https');
 var url = require('url');
+var path = require('path');
 var zlib = require('zlib');
 var VERSION = require('./../env/data').version;
 var transitionalDefaults = require('../defaults/transitional');
@@ -36,6 +37,94 @@ function dispatchBeforeRedirect(options) {
   }
 }
 
+function removeProxyAuthorization(headers) {
+  Object.keys(headers).forEach(function removeHeader(header) {
+    if (header.toLowerCase() === 'proxy-authorization') {
+      delete headers[header];
+    }
+  });
+}
+
+function normalizeSocketPath(socketPath) {
+  if (/^\\\\[.?]\\pipe\\/i.test(socketPath)) {
+    return socketPath;
+  }
+
+  return path.resolve(socketPath);
+}
+
+function getAllowedSocketPaths(config) {
+  var allowedSocketPaths = config.allowedSocketPaths;
+
+  if (
+    allowedSocketPaths === null ||
+    typeof allowedSocketPaths === 'undefined'
+  ) {
+    return null;
+  }
+
+  if (utils.isString(allowedSocketPaths)) {
+    return [allowedSocketPaths];
+  }
+
+  if (utils.isArray(allowedSocketPaths)) {
+    for (var i = 0; i < allowedSocketPaths.length; i++) {
+      if (!utils.isString(allowedSocketPaths[i])) {
+        return false;
+      }
+    }
+
+    return allowedSocketPaths;
+  }
+
+  return false;
+}
+
+function checkSocketPath(config) {
+  var socketPath = config.socketPath;
+
+  if (!socketPath) {
+    return null;
+  }
+
+  if (!utils.isString(socketPath)) {
+    return new AxiosError(
+      'config.socketPath must be a string',
+      AxiosError.ERR_BAD_OPTION_VALUE,
+      config
+    );
+  }
+
+  var allowedSocketPaths = getAllowedSocketPaths(config);
+
+  if (allowedSocketPaths === false) {
+    return new AxiosError(
+      'config.allowedSocketPaths must be a string, an array of strings, or null',
+      AxiosError.ERR_BAD_OPTION_VALUE,
+      config
+    );
+  }
+
+  if (allowedSocketPaths) {
+    var normalizedSocketPath = normalizeSocketPath(socketPath);
+    var allowed = allowedSocketPaths.some(
+      function isAllowed(allowedSocketPath) {
+        return normalizeSocketPath(allowedSocketPath) === normalizedSocketPath;
+      }
+    );
+
+    if (!allowed) {
+      return new AxiosError(
+        'config.socketPath is not allowed by config.allowedSocketPaths',
+        AxiosError.ERR_BAD_OPTION_VALUE,
+        config
+      );
+    }
+  }
+
+  return null;
+}
+
 /**
  *
  * @param {http.ClientRequestArgs} options
@@ -54,20 +143,37 @@ function setProxy(options, configProxy, location) {
       }
     }
   }
+  if (!proxy) {
+    removeProxyAuthorization(options.headers);
+  }
   if (proxy) {
     // Basic proxy authorization
-    if (proxy.auth) {
+    var proxyAuth = utils.hasOwnProperty(proxy, 'auth')
+      ? proxy.auth
+      : undefined;
+    if (proxyAuth) {
       // Support proxy auth object form
-      if (proxy.auth.username || proxy.auth.password) {
-        proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || '');
+      if (utils.isObject(proxyAuth)) {
+        var proxyUsername = utils.hasOwnProperty(proxyAuth, 'username')
+          ? proxyAuth.username
+          : '';
+        var proxyPassword = utils.hasOwnProperty(proxyAuth, 'password')
+          ? proxyAuth.password
+          : '';
+        proxyAuth =
+          proxyUsername || proxyPassword
+            ? proxyUsername + ':' + proxyPassword
+            : undefined;
+      }
+      if (proxyAuth) {
+        var base64 = Buffer.from(proxyAuth, 'utf8').toString('base64');
+        removeProxyAuthorization(options.headers);
+        options.headers['Proxy-Authorization'] = 'Basic ' + base64;
       }
-      var base64 = Buffer
-        .from(proxy.auth, 'utf8')
-        .toString('base64');
-      options.headers['Proxy-Authorization'] = 'Basic ' + base64;
     }
 
-    options.headers.host = options.hostname + (options.port ? ':' + options.port : '');
+    options.headers.host =
+      options.hostname + (options.port ? ':' + options.port : '');
     options.hostname = proxy.host;
     options.host = proxy.host;
     options.port = proxy.port;
@@ -86,7 +192,10 @@ function setProxy(options, configProxy, location) {
 
 /*eslint consistent-return:0*/
 module.exports = function httpAdapter(config) {
-  return new Promise(function dispatchHttpRequest(resolvePromise, rejectPromise) {
+  return new Promise(function dispatchHttpRequest(
+    resolvePromise,
+    rejectPromise
+  ) {
     var onCanceled;
     function done() {
       if (config.cancelToken) {
@@ -113,7 +222,11 @@ module.exports = function httpAdapter(config) {
     var method = config.method.toUpperCase();
 
     // Parse url
-    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
+    var fullPath = buildFullPath(
+      config.baseURL,
+      config.url,
+      config.allowAbsoluteUrls
+    );
     var parsed = url.parse(fullPath);
     var protocol = parsed.protocol || supportedProtocols[0];
 
@@ -125,11 +238,15 @@ module.exports = function httpAdapter(config) {
         var estimated = estimateDataURLDecodedBytes(dataUrl);
 
         if (estimated > config.maxContentLength) {
-          return reject(new AxiosError(
-            'maxContentLength size of ' + config.maxContentLength + ' exceeded',
-            AxiosError.ERR_BAD_RESPONSE,
-            config
-          ));
+          return reject(
+            new AxiosError(
+              'maxContentLength size of ' +
+                config.maxContentLength +
+              ' exceeded',
+              AxiosError.ERR_BAD_RESPONSE,
+              config
+            )
+          );
         }
       }
 
@@ -145,8 +262,11 @@ module.exports = function httpAdapter(config) {
       }
 
       try {
+        var envOption = utils.hasOwnProperty(config, 'env')
+          ? config.env
+          : undefined;
         convertedData = fromDataURI(config.url, responseType === 'blob', {
-          Blob: config.env && config.env.Blob
+          Blob: envOption && envOption.Blob
         });
       } catch (err) {
         throw AxiosError.from(err, AxiosError.ERR_BAD_REQUEST, config);
@@ -172,11 +292,13 @@ module.exports = function httpAdapter(config) {
     }
 
     if (supportedProtocols.indexOf(protocol) === -1) {
-      return reject(new AxiosError(
-        'Unsupported protocol ' + protocol,
-        AxiosError.ERR_BAD_REQUEST,
-        config
-      ));
+      return reject(
+        new AxiosError(
+          'Unsupported protocol ' + protocol,
+          AxiosError.ERR_BAD_REQUEST,
+          config
+        )
+      );
     }
 
     var headers = config.headers;
@@ -200,8 +322,22 @@ module.exports = function httpAdapter(config) {
     }
 
     // support for https://www.npmjs.com/package/form-data api
-    if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) {
-      Object.assign(headers, data.getHeaders());
+    if (
+      utils.isFormData(data) &&
+      utils.isFunction(data.getHeaders) &&
+      data.getHeaders !== Object.prototype.getHeaders
+    ) {
+      var formHeaders = data.getHeaders();
+      if (config.formDataHeaderPolicy === 'content-only') {
+        Object.keys(formHeaders).forEach(function copyContentHeader(name) {
+          var lowerName = name.toLowerCase();
+          if (lowerName === 'content-type' || lowerName === 'content-length') {
+            headers[name] = formHeaders[name];
+          }
+        });
+      } else {
+        Object.assign(headers, formHeaders);
+      }
     } else if (data && !utils.isStream(data)) {
       if (Buffer.isBuffer(data)) {
         // Nothing to do...
@@ -210,19 +346,23 @@ module.exports = function httpAdapter(config) {
       } else if (utils.isString(data)) {
         data = Buffer.from(data, 'utf-8');
       } else {
-        return reject(new AxiosError(
-          'Data after transformation must be a string, an ArrayBuffer, a Buffer, or a Stream',
-          AxiosError.ERR_BAD_REQUEST,
-          config
-        ));
+        return reject(
+          new AxiosError(
+            'Data after transformation must be a string, an ArrayBuffer, a Buffer, or a Stream',
+            AxiosError.ERR_BAD_REQUEST,
+            config
+          )
+        );
       }
 
       if (config.maxBodyLength > -1 && data.length > config.maxBodyLength) {
-        return reject(new AxiosError(
-          'Request body larger than maxBodyLength limit',
-          AxiosError.ERR_BAD_REQUEST,
-          config
-        ));
+        return reject(
+          new AxiosError(
+            'Request body larger than maxBodyLength limit',
+            AxiosError.ERR_BAD_REQUEST,
+            config
+          )
+        );
       }
 
       // Add Content-Length header if data exists
@@ -251,7 +391,10 @@ module.exports = function httpAdapter(config) {
     }
 
     try {
-      buildURL(parsed.path, config.params, config.paramsSerializer).replace(/^\?/, '');
+      buildURL(parsed.path, config.params, config.paramsSerializer).replace(
+        /^\?/,
+        ''
+      );
     } catch (err) {
       var customErr = new Error(err.message);
       customErr.config = config;
@@ -261,7 +404,11 @@ module.exports = function httpAdapter(config) {
     }
 
     var options = {
-      path: buildURL(parsed.path, config.params, config.paramsSerializer).replace(/^\?/, ''),
+      path: buildURL(
+        parsed.path,
+        config.params,
+        config.paramsSerializer
+      ).replace(/^\?/, ''),
       method: method,
       headers: headers,
       agents: { http: config.httpAgent, https: config.httpsAgent },
@@ -271,18 +418,27 @@ module.exports = function httpAdapter(config) {
       beforeRedirects: {}
     };
 
+    var socketPathError = checkSocketPath(config);
+    if (socketPathError) {
+      return reject(socketPathError);
+    }
+
     if (config.socketPath) {
       options.socketPath = config.socketPath;
     } else {
       options.hostname = parsed.hostname;
       options.port = parsed.port;
-      setProxy(options, config.proxy, protocol + '//' + parsed.host + options.path);
+      setProxy(
+        options,
+        config.proxy,
+        protocol + '//' + parsed.host + options.path
+      );
     }
 
     var transport;
     var isHttpsRequest = isHttps.test(options.protocol);
     options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
-    if (config.transport) {
+    if (utils.hasOwnProperty(config, 'transport') && config.transport) {
       transport = config.transport;
     } else if (config.maxRedirects === 0) {
       transport = isHttpsRequest ? https : http;
@@ -348,8 +504,51 @@ module.exports = function httpAdapter(config) {
       };
 
       if (responseType === 'stream') {
-        response.data = responseStream;
-        settle(resolve, reject, response);
+        // Enforce maxContentLength on streamed responses too.
+        // Previously the stream path bypassed the size guard because the check only
+        // ran on the buffering branch.
+        if (config.maxContentLength > -1) {
+          var maxContentLength = config.maxContentLength;
+          var streamedBytes = 0;
+          var limiter = new stream.Transform({
+            transform: function transformChunk(chunk, encoding, callback) {
+              streamedBytes += chunk.length;
+              if (streamedBytes > maxContentLength) {
+                callback(
+                  new AxiosError(
+                    'maxContentLength size of ' +
+                      maxContentLength +
+                    ' exceeded',
+                    AxiosError.ERR_BAD_RESPONSE,
+                    config,
+                    lastRequest
+                  )
+                );
+                return;
+              }
+              callback(null, chunk);
+            }
+          });
+          limiter.on('error', function handleLimiterError() {
+            rejected = true;
+            responseStream.destroy();
+          });
+          responseStream.on('error', function forwardError(err) {
+            limiter.destroy(err);
+          });
+          response.data = limiter;
+          settle(resolve, reject, response);
+          // Defer piping via setImmediate so the caller's `.then` (a microtask)
+          // has run and attached any `error`/`data` listeners before chunks flow
+          // through the transform. `process.nextTick` would drain before those
+          // microtasks and lose the error event.
+          setImmediate(function startPipe() {
+            responseStream.pipe(limiter);
+          });
+        } else {
+          response.data = responseStream;
+          settle(resolve, reject, response);
+        }
       } else {
         var responseBuffer = [];
         var totalResponseBytes = 0;
@@ -358,12 +557,23 @@ module.exports = function httpAdapter(config) {
           totalResponseBytes += chunk.length;
 
           // make sure the content length is not over the maxContentLength if specified
-          if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
+          if (
+            config.maxContentLength > -1 &&
+            totalResponseBytes > config.maxContentLength
+          ) {
             // stream.destroy() emit aborted event before calling reject() on Node.js v16
             rejected = true;
             responseStream.destroy();
-            reject(new AxiosError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
-              AxiosError.ERR_BAD_RESPONSE, config, lastRequest));
+            reject(
+              new AxiosError(
+                'maxContentLength size of ' +
+                  config.maxContentLength +
+                  ' exceeded',
+                AxiosError.ERR_BAD_RESPONSE,
+                config,
+                lastRequest
+              )
+            );
           }
         });
 
@@ -372,12 +582,14 @@ module.exports = function httpAdapter(config) {
             return;
           }
           responseStream.destroy();
-          reject(new AxiosError(
-            'response stream aborted',
-            AxiosError.ECONNABORTED,
-            config,
-            lastRequest
-          ));
+          reject(
+            new AxiosError(
+              'response stream aborted',
+              AxiosError.ECONNABORTED,
+              config,
+              lastRequest
+            )
+          );
         });
 
         responseStream.on('error', function handleStreamError(err) {
@@ -387,7 +599,10 @@ module.exports = function httpAdapter(config) {
 
         responseStream.on('end', function handleStreamEnd() {
           try {
-            var responseData = responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
+            var responseData =
+              responseBuffer.length === 1
+                ? responseBuffer[0]
+                : Buffer.concat(responseBuffer);
             if (responseType !== 'arraybuffer') {
               responseData = responseData.toString(responseEncoding);
               if (!responseEncoding || responseEncoding === 'utf8') {
@@ -396,7 +611,9 @@ module.exports = function httpAdapter(config) {
             }
             response.data = responseData;
           } catch (err) {
-            reject(AxiosError.from(err, null, config, response.request, response));
+            reject(
+              AxiosError.from(err, null, config, response.request, response)
+            );
           }
           settle(resolve, reject, response);
         });
@@ -418,16 +635,28 @@ module.exports = function httpAdapter(config) {
 
     // Handle request timeout
     if (config.timeout) {
-      // This is forcing a int timeout to avoid problems if the `req` interface doesn't handle other types.
-      var timeout = parseInt(config.timeout, 10);
+      // Force an int timeout so the `req` interface gets a clean number.
+      // The try/catch is required: merged config values have a null prototype,
+      // and parseInt on a null-prototype object throws "Cannot convert object
+      // to primitive value" because there is no inherited toString. Treating
+      // that as NaN routes to the same ERR_BAD_OPTION_VALUE rejection as any
+      // other unparsable value.
+      var timeout;
+      try {
+        timeout = parseInt(config.timeout, 10);
+      } catch (err) {
+        timeout = NaN;
+      }
 
       if (isNaN(timeout)) {
-        reject(new AxiosError(
-          'error trying to parse `config.timeout` to int',
-          AxiosError.ERR_BAD_OPTION_VALUE,
-          config,
-          req
-        ));
+        reject(
+          new AxiosError(
+            'error trying to parse `config.timeout` to int',
+            AxiosError.ERR_BAD_OPTION_VALUE,
+            config,
+            req
+          )
+        );
 
         return;
       }
@@ -439,17 +668,23 @@ module.exports = function httpAdapter(config) {
       // ClientRequest.setTimeout will be fired on the specify milliseconds, and can make sure that abort() will be fired after connect.
       req.setTimeout(timeout, function handleRequestTimeout() {
         req.abort();
-        var timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded';
+        var timeoutErrorMessage = config.timeout
+          ? 'timeout of ' + config.timeout + 'ms exceeded'
+          : 'timeout exceeded';
         var transitional = config.transitional || transitionalDefaults;
         if (config.timeoutErrorMessage) {
           timeoutErrorMessage = config.timeoutErrorMessage;
         }
-        reject(new AxiosError(
-          timeoutErrorMessage,
-          transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED,
-          config,
-          req
-        ));
+        reject(
+          new AxiosError(
+            timeoutErrorMessage,
+            transitional.clarifyTimeoutError
+              ? AxiosError.ETIMEDOUT
+              : AxiosError.ECONNABORTED,
+            config,
+            req
+          )
+        );
       });
     }
 
@@ -460,21 +695,71 @@ module.exports = function httpAdapter(config) {
         if (req.aborted) return;
 
         req.abort();
-        reject(!cancel || cancel.type ? new CanceledError(null, config, req) : cancel);
+        reject(
+          !cancel || cancel.type
+            ? new CanceledError(null, config, req)
+            : cancel
+        );
       };
 
       config.cancelToken && config.cancelToken.subscribe(onCanceled);
       if (config.signal) {
-        config.signal.aborted ? onCanceled() : config.signal.addEventListener('abort', onCanceled);
+        config.signal.aborted
+          ? onCanceled()
+          : config.signal.addEventListener('abort', onCanceled);
       }
     }
 
-
     // Send the request
     if (utils.isStream(data)) {
       data.on('error', function handleStreamError(err) {
         reject(AxiosError.from(err, config, null, req));
-      }).pipe(req);
+      });
+
+      // follow-redirects enforces options.maxBodyLength for stream uploads, but the
+      // native http/https transport (used when maxRedirects === 0) does not.
+      // Count bytes ourselves so the limit is always honored.
+      var nativeTransport = transport === http || transport === https;
+      if (nativeTransport && config.maxBodyLength > -1) {
+        var maxBodyLength = config.maxBodyLength;
+        var uploadedBytes = 0;
+        var bodyLimiter = new stream.Transform({
+          transform: function transformChunk(chunk, encoding, callback) {
+            uploadedBytes += chunk.length;
+            if (uploadedBytes > maxBodyLength) {
+              callback(
+                new AxiosError(
+                  'Request body larger than maxBodyLength limit',
+                  AxiosError.ERR_BAD_REQUEST,
+                  config,
+                  req
+                )
+              );
+              return;
+            }
+            callback(null, chunk);
+          }
+        });
+        bodyLimiter.on('error', function handleLimiterError(err) {
+          if (rejected) return;
+          rejected = true;
+          try {
+            data.unpipe(bodyLimiter);
+          } catch (e) {
+            /* noop */
+          }
+          try {
+            bodyLimiter.unpipe(req);
+          } catch (e) {
+            /* noop */
+          }
+          req.destroy();
+          reject(err);
+        });
+        data.pipe(bodyLimiter).pipe(req);
+      } else {
+        data.pipe(req);
+      }
     } else {
       req.end(data);
     }