axios 0.31.0 → 0.32.0

package/lib/adapters/xhr.js

@@ -18,7 +18,10 @@ module.exports = function xhrAdapter(config) {
     var requestData = config.data;
     var requestHeaders = config.headers;
     var responseType = config.responseType;
-    var withXSRFToken = config.withXSRFToken;
+    // Guard against prototype pollution: only honor own properties.
+    var withXSRFToken = utils.hasOwnProperty(config, 'withXSRFToken')
+      ? config.withXSRFToken
+      : undefined;
     var onCanceled;
     function done() {
       if (config.cancelToken) {
@@ -39,13 +42,23 @@ module.exports = function xhrAdapter(config) {
     // HTTP basic authentication
     if (config.auth) {
       var username = config.auth.username || '';
-      var password = config.auth.password ? unescape(encodeURIComponent(config.auth.password)) : '';
+      var password = config.auth.password
+        ? unescape(encodeURIComponent(config.auth.password))
+        : '';
       requestHeaders.Authorization = 'Basic ' + btoa(username + ':' + password);
     }
 
-    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
+    var fullPath = buildFullPath(
+      config.baseURL,
+      config.url,
+      config.allowAbsoluteUrls
+    );
 
-    request.open(config.method.toUpperCase(), buildURL(fullPath, config.params, config.paramsSerializer), true);
+    request.open(
+      config.method.toUpperCase(),
+      buildURL(fullPath, config.params, config.paramsSerializer),
+      true
+    );
 
     // Set the request timeout in MS
     request.timeout = config.timeout;
@@ -55,9 +68,14 @@ module.exports = function xhrAdapter(config) {
         return;
       }
       // Prepare the response
-      var responseHeaders = 'getAllResponseHeaders' in request ? parseHeaders(request.getAllResponseHeaders()) : null;
-      var responseData = !responseType || responseType === 'text' ||  responseType === 'json' ?
-        request.responseText : request.response;
+      var responseHeaders =
+        'getAllResponseHeaders' in request
+          ? parseHeaders(request.getAllResponseHeaders())
+          : null;
+      var responseData =
+        !responseType || responseType === 'text' || responseType === 'json'
+          ? request.responseText
+          : request.response;
       var response = {
         data: responseData,
         status: request.status,
@@ -67,13 +85,17 @@ module.exports = function xhrAdapter(config) {
         request: request
       };
 
-      settle(function _resolve(value) {
-        resolve(value);
-        done();
-      }, function _reject(err) {
-        reject(err);
-        done();
-      }, response);
+      settle(
+        function _resolve(value) {
+          resolve(value);
+          done();
+        },
+        function _reject(err) {
+          reject(err);
+          done();
+        },
+        response
+      );
 
       // Clean up request
       request = null;
@@ -93,7 +115,10 @@ module.exports = function xhrAdapter(config) {
         // handled by onerror instead
         // With one exception: request that using file: protocol, most browsers
         // will return status as 0 even though it's a successful request
-        if (request.status === 0 && !(request.responseURL && request.responseURL.indexOf('file:') === 0)) {
+        if (
+          request.status === 0 &&
+          !(request.responseURL && request.responseURL.indexOf('file:') === 0)
+        ) {
           return;
         }
         // readystate handler is calling before onerror or ontimeout handlers,
@@ -108,7 +133,14 @@ module.exports = function xhrAdapter(config) {
         return;
       }
 
-      reject(new AxiosError('Request aborted', AxiosError.ECONNABORTED, config, request));
+      reject(
+        new AxiosError(
+          'Request aborted',
+          AxiosError.ECONNABORTED,
+          config,
+          request
+        )
+      );
 
       // Clean up request
       request = null;
@@ -118,7 +150,14 @@ module.exports = function xhrAdapter(config) {
     request.onerror = function handleError() {
       // Real errors are hidden from us by the browser
       // onerror should only fire if it's a network error
-      reject(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request));
+      reject(
+        new AxiosError(
+          'Network Error',
+          AxiosError.ERR_NETWORK,
+          config,
+          request
+        )
+      );
 
       // Clean up request
       request = null;
@@ -126,16 +165,23 @@ module.exports = function xhrAdapter(config) {
 
     // Handle timeout
     request.ontimeout = function handleTimeout() {
-      var timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded';
+      var timeoutErrorMessage = config.timeout
+        ? 'timeout of ' + config.timeout + 'ms exceeded'
+        : 'timeout exceeded';
       var transitional = config.transitional || transitionalDefaults;
       if (config.timeoutErrorMessage) {
         timeoutErrorMessage = config.timeoutErrorMessage;
       }
-      reject(new AxiosError(
-        timeoutErrorMessage,
-        transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED,
-        config,
-        request));
+      reject(
+        new AxiosError(
+          timeoutErrorMessage,
+          transitional.clarifyTimeoutError
+            ? AxiosError.ETIMEDOUT
+            : AxiosError.ECONNABORTED,
+          config,
+          request
+        )
+      );
 
       // Clean up request
       request = null;
@@ -146,10 +192,19 @@ module.exports = function xhrAdapter(config) {
     // Specifically not if we're in a web worker, or react-native.
     if (utils.isStandardBrowserEnv()) {
       // Add xsrf header
-      withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
-      if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
+      if (utils.isFunction(withXSRFToken)) {
+        withXSRFToken = withXSRFToken(config);
+      }
+      // Strict boolean check: only `true` short-circuits the same-origin guard.
+      if (
+        withXSRFToken === true ||
+        (withXSRFToken !== false && isURLSameOrigin(fullPath))
+      ) {
         // Add xsrf header
-        var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+        var xsrfValue =
+          config.xsrfHeaderName &&
+          config.xsrfCookieName &&
+          cookies.read(config.xsrfCookieName);
         if (xsrfValue) {
           requestHeaders[config.xsrfHeaderName] = xsrfValue;
         }
@@ -159,7 +214,10 @@ module.exports = function xhrAdapter(config) {
     // Add headers to the request
     if ('setRequestHeader' in request) {
       utils.forEach(requestHeaders, function setRequestHeader(val, key) {
-        if (typeof requestData === 'undefined' && key.toLowerCase() === 'content-type') {
+        if (
+          typeof requestData === 'undefined' &&
+          key.toLowerCase() === 'content-type'
+        ) {
           // Remove Content-Type if data is undefined
           delete requestHeaders[key];
         } else {
@@ -196,30 +254,46 @@ module.exports = function xhrAdapter(config) {
         if (!request) {
           return;
         }
-        reject(!cancel || cancel.type ? new CanceledError(null, config, request) : cancel);
+        reject(
+          !cancel || cancel.type
+            ? new CanceledError(null, config, request)
+            : cancel
+        );
         request.abort();
         request = null;
       };
 
       config.cancelToken && config.cancelToken.subscribe(onCanceled);
       if (config.signal) {
-        config.signal.aborted ? onCanceled() : config.signal.addEventListener('abort', onCanceled);
+        config.signal.aborted
+          ? onCanceled()
+          : config.signal.addEventListener('abort', onCanceled);
       }
     }
 
     // false, 0 (zero number), and '' (empty string) are valid JSON values
-    if (!requestData && requestData !== false && requestData !== 0 && requestData !== '') {
+    if (
+      !requestData &&
+      requestData !== false &&
+      requestData !== 0 &&
+      requestData !== ''
+    ) {
       requestData = null;
     }
 
     var protocol = parseProtocol(fullPath);
 
     if (protocol && platform.protocols.indexOf(protocol) === -1) {
-      reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config));
+      reject(
+        new AxiosError(
+          'Unsupported protocol ' + protocol + ':',
+          AxiosError.ERR_BAD_REQUEST,
+          config
+        )
+      );
       return;
     }
 
-
     // Send the request
     request.send(requestData);
   });

package/lib/core/AxiosError.js

@@ -1,6 +1,81 @@
 'use strict';
 
 var utils = require('../utils');
+var DEFAULT_REDACT_KEYS = require('../helpers/defaultRedactKeys');
+
+var REDACTED_VALUE = '[REDACTED ****]';
+
+function makeValueDescriptor(value) {
+  var descriptor = Object.create(null);
+  descriptor.value = value;
+  return descriptor;
+}
+
+function getRedactKeys(config) {
+  // An empty array is treated as "no override" so an upstream `redact: []` cannot
+  // silently disable redaction. To opt out, pass non-string values or unset keys.
+  var override = config && utils.isArray(config.redact) && config.redact.length ? config.redact : null;
+  var redact = override || DEFAULT_REDACT_KEYS;
+  var keys = {};
+
+  utils.forEach(redact, function eachRedactKey(key) {
+    if (typeof key === 'string') {
+      keys[key.toLowerCase()] = true;
+    }
+  });
+
+  return keys;
+}
+
+function shouldRedact(key, keys) {
+  return typeof key === 'string' && keys[key.toLowerCase()];
+}
+
+var CIRCULAR_VALUE = '[Circular]';
+
+function serializeConfigValue(value, keys, key, seen) {
+  var result;
+
+  if (shouldRedact(key, keys)) {
+    return REDACTED_VALUE;
+  }
+
+  if (utils.isArray(value)) {
+    if (seen.indexOf(value) !== -1) {
+      return CIRCULAR_VALUE;
+    }
+    seen.push(value);
+    result = [];
+    utils.forEach(value, function eachArrayValue(item, index) {
+      result[index] = serializeConfigValue(item, keys, index, seen);
+    });
+    seen.pop();
+    return result;
+  }
+
+  if (utils.isPlainObject(value)) {
+    if (seen.indexOf(value) !== -1) {
+      return CIRCULAR_VALUE;
+    }
+    seen.push(value);
+    result = {};
+    utils.forEach(value, function eachObjectValue(item, itemKey) {
+      result[itemKey] = serializeConfigValue(item, keys, itemKey, seen);
+    });
+    seen.pop();
+    return result;
+  }
+
+  return value;
+}
+
+function serializeConfig(config) {
+  if (!config) {
+    return config;
+  }
+
+  return serializeConfigValue(config, getRedactKeys(config), undefined, []);
+}
 
 /**
  * Create an Error with the specified message, config, error code, request and response.
@@ -44,7 +119,7 @@ utils.inherits(AxiosError, Error, {
       columnNumber: this.columnNumber,
       stack: this.stack,
       // Axios
-      config: this.config,
+      config: serializeConfig(this.config),
       code: this.code,
       status: this.response && this.response.status ? this.response.status : null
     };
@@ -52,7 +127,7 @@ utils.inherits(AxiosError, Error, {
 });
 
 var prototype = AxiosError.prototype;
-var descriptors = {};
+var descriptors = Object.create(null);
 
 [
   'ERR_BAD_OPTION_VALUE',
@@ -66,14 +141,15 @@ var descriptors = {};
   'ERR_BAD_REQUEST',
   'ERR_CANCELED',
   'ERR_NOT_SUPPORT',
-  'ERR_INVALID_URL'
+  'ERR_INVALID_URL',
+  'ERR_FORM_DATA_DEPTH_EXCEEDED'
 // eslint-disable-next-line func-names
 ].forEach(function(code) {
-  descriptors[code] = {value: code};
+  descriptors[code] = makeValueDescriptor(code);
 });
 
 Object.defineProperties(AxiosError, descriptors);
-Object.defineProperty(prototype, 'isAxiosError', {value: true});
+Object.defineProperty(prototype, 'isAxiosError', makeValueDescriptor(true));
 
 // eslint-disable-next-line func-names
 AxiosError.from = function(error, code, config, request, response, customProps) {

package/lib/core/dispatchRequest.js

@@ -46,11 +46,16 @@ module.exports = function dispatchRequest(config) {
   normalizeHeaderName(config.headers, 'Content-Type');
 
   // Flatten headers
-  config.headers = utils.merge(
-    config.headers.common || {},
-    config.headers[config.method] || {},
-    config.headers
-  );
+  var commonHeaders = utils.hasOwnProperty(config.headers, 'common') && config.headers.common
+    ? config.headers.common
+    : {};
+  var methodHeaders = config.method &&
+    utils.hasOwnProperty(config.headers, config.method) &&
+    config.headers[config.method]
+    ? config.headers[config.method]
+    : {};
+
+  config.headers = utils.merge(commonHeaders, methodHeaders, config.headers);
 
   utils.forEach(
     ['delete', 'get', 'head', 'post', 'put', 'patch', 'common'],

package/lib/core/mergeConfig.js

@@ -13,7 +13,17 @@ var utils = require('../utils');
 module.exports = function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
-  var config = {};
+  // Use a null-prototype object so a polluted Object.prototype cannot leak
+  // values (e.g. transport, adapter) into the returned config via inheritance.
+  var config = Object.create(null);
+
+  function getOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop) ? source[prop] : undefined;
+  }
+
+  function hasOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop);
+  }
 
   function getMergedValue(target, source) {
     if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
@@ -30,34 +40,34 @@ module.exports = function mergeConfig(config1, config2) {
 
   // eslint-disable-next-line consistent-return
   function mergeDeepProperties(prop) {
-    if (!utils.isUndefined(config2[prop])) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function valueFromConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function defaultToConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function mergeDirectKeys(prop) {
-    if (prop in config2) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (prop in config1) {
+    if (hasOwn(config2, prop)) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop)) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
@@ -89,6 +99,7 @@ module.exports = function mergeConfig(config1, config2) {
     'httpsAgent': defaultToConfig2,
     'cancelToken': defaultToConfig2,
     'socketPath': defaultToConfig2,
+    'allowedSocketPaths': defaultToConfig2,
     'responseEncoding': defaultToConfig2,
     'validateStatus': mergeDirectKeys
   };

package/lib/defaults/index.js

@@ -8,6 +8,7 @@ var toFormData = require('../helpers/toFormData');
 var toURLEncodedForm = require('../helpers/toURLEncodedForm');
 var platform = require('../platform');
 var formDataToJSON = require('../helpers/formDataToJSON');
+var defaultRedactKeys = require('../helpers/defaultRedactKeys');
 
 var DEFAULT_CONTENT_TYPE = {
   'Content-Type': 'application/x-www-form-urlencoded'
@@ -89,17 +90,20 @@ var defaults = {
     var isFileList;
 
     if (isObjectPayload) {
+      var formSerializer = utils.hasOwnProperty(this, 'formSerializer') ? this.formSerializer : undefined;
+      var envOption = utils.hasOwnProperty(this, 'env') ? this.env : undefined;
+
       if (contentType.indexOf('application/x-www-form-urlencoded') !== -1) {
-        return toURLEncodedForm(data, this.formSerializer).toString();
+        return toURLEncodedForm(data, formSerializer).toString();
       }
 
       if ((isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) {
-        var _FormData = this.env && this.env.FormData;
+        var _FormData = envOption && envOption.FormData;
 
         return toFormData(
           isFileList ? {'files[]': data} : data,
           _FormData && new _FormData(),
-          this.formSerializer
+          formSerializer
         );
       }
     }
@@ -148,6 +152,8 @@ var defaults = {
   maxContentLength: -1,
   maxBodyLength: -1,
 
+  redact: defaultRedactKeys.slice(),
+
   env: {
     FormData: platform.classes.FormData,
     Blob: platform.classes.Blob

package/lib/env/data.js

@@ -1,3 +1,3 @@
 module.exports = {
-  "version": "0.31.0"
+  "version": "0.32.0"
 };

package/lib/helpers/AxiosURLSearchParams.js

@@ -3,18 +3,22 @@
 var toFormData = require('./toFormData');
 
 function encode(str) {
+  // Do not map `%00` back to a raw null byte: that reversed
+  // the safe percent-encoding from encodeURIComponent and enabled null byte injection.
   var charMap = {
     '!': '%21',
     "'": '%27',
     '(': '%28',
     ')': '%29',
     '~': '%7E',
-    '%20': '+',
-    '%00': '\x00'
+    '%20': '+'
   };
-  return encodeURIComponent(str).replace(/[!'\(\)~]|%20|%00/g, function replacer(match) {
-    return charMap[match];
-  });
+  return encodeURIComponent(str).replace(
+    /[!'\(\)~]|%20/g,
+    function replacer(match) {
+      return charMap[match];
+    }
+  );
 }
 
 function AxiosURLSearchParams(params, options) {
@@ -30,13 +34,17 @@ prototype.append = function append(name, value) {
 };
 
 prototype.toString = function toString(encoder) {
-  var _encode = encoder ? function(value) {
-    return encoder.call(this, value, encode);
-  } : encode;
-
-  return this._pairs.map(function each(pair) {
-    return _encode(pair[0]) + '=' + _encode(pair[1]);
-  }, '').join('&');
+  var _encode = encoder
+    ? function(value) {
+      return encoder.call(this, value, encode);
+    }
+    : encode;
+
+  return this._pairs
+    .map(function each(pair) {
+      return _encode(pair[0]) + '=' + _encode(pair[1]);
+    }, '')
+    .join('&');
 };
 
 module.exports = AxiosURLSearchParams;

package/lib/helpers/cookies.js

@@ -32,8 +32,21 @@ module.exports = (
         },
 
         read: function read(name) {
-          var match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
-          return (match ? decodeURIComponent(match[3]) : null);
+          var nameEQ = name + '=';
+          var cookies = document.cookie.split(';');
+          var cookie;
+
+          for (var i = 0; i < cookies.length; i++) {
+            cookie = cookies[i];
+            while (cookie.charAt(0) === ' ') {
+              cookie = cookie.substring(1);
+            }
+            if (cookie.indexOf(nameEQ) === 0) {
+              return decodeURIComponent(cookie.substring(nameEQ.length));
+            }
+          }
+
+          return null;
         },
 
         remove: function remove(name) {

package/lib/helpers/defaultRedactKeys.js

@@ -0,0 +1,3 @@
+'use strict';
+
+module.exports = ['authorization', 'proxy-authorization', 'cookie', 'set-cookie', 'x-api-key', 'password'];

package/lib/helpers/shouldBypassProxy.js

@@ -40,6 +40,58 @@ function parseNoProxyEntry(entry) {
   return [entryHost, entryPort];
 }
 
+function parseIPv4Octets(hostname) {
+  var octets = hostname.split('.');
+
+  if (octets.length !== 4) {
+    return null;
+  }
+
+  for (var i = 0; i < octets.length; i++) {
+    if (!/^\d+$/.test(octets[i]) || Number(octets[i]) > 255) {
+      return null;
+    }
+  }
+
+  return octets;
+}
+
+// Recognises the canonical IPv4-mapped IPv6 forms the Node URL parser produces:
+//   ::ffff:127.0.0.1   (dotted-quad tail)
+//   ::ffff:7f00:1      (compressed two-group hex tail)
+// Fully-expanded forms like 0:0:0:0:0:ffff:7f00:1 or single-group tails like
+// ::ffff:1 are not normalised here. URL inputs are canonicalised by the parser
+// before reaching this helper, but hand-crafted no_proxy entries in those
+// shapes will not match an IPv4 listing.
+function normalizeIPv4MappedIPv6(hostname) {
+  // Match against the lowercased form so a hand-crafted no_proxy entry like
+  // `[::FFFF:7F00:1]` still resolves to its IPv4 alias. Callers that route via
+  // URL parsing already lowercase, but the helper stays robust on its own.
+  var lower = hostname.toLowerCase();
+  var dottedMatch = /^::ffff:(\d+\.\d+\.\d+\.\d+)$/.exec(lower);
+
+  if (dottedMatch) {
+    var octets = parseIPv4Octets(dottedMatch[1]);
+    return octets ? octets.join('.') : hostname;
+  }
+
+  var hexMatch = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/.exec(lower);
+
+  if (hexMatch) {
+    var high = parseInt(hexMatch[1], 16);
+    var low = parseInt(hexMatch[2], 16);
+
+    return [
+      (high >> 8) & 0xff,
+      high & 0xff,
+      (low >> 8) & 0xff,
+      low & 0xff
+    ].join('.');
+  }
+
+  return hostname;
+}
+
 function normalizeNoProxyHost(hostname) {
   if (!hostname) {
     return hostname;
@@ -49,7 +101,9 @@ function normalizeNoProxyHost(hostname) {
     hostname = hostname.slice(1, -1);
   }
 
-  return hostname.replace(/\.+$/, '');
+  hostname = hostname.replace(/\.+$/, '');
+
+  return normalizeIPv4MappedIPv6(hostname);
 }
 
 function isLoopbackIPv4(hostname) {