axios 1.17.0 → 1.18.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +84 -1
- package/README.md +155 -22
- package/dist/axios.js +407 -142
- package/dist/axios.min.js +3 -3
- package/dist/axios.min.js.map +1 -1
- package/dist/browser/axios.cjs +422 -115
- package/dist/esm/axios.js +422 -115
- package/dist/esm/axios.min.js +2 -2
- package/dist/esm/axios.min.js.map +1 -1
- package/dist/node/axios.cjs +515 -130
- package/index.d.cts +19 -1
- package/index.d.ts +19 -1
- package/lib/adapters/adapters.js +1 -1
- package/lib/adapters/fetch.js +140 -49
- package/lib/adapters/http.js +215 -54
- package/lib/adapters/xhr.js +1 -0
- package/lib/core/Axios.js +3 -2
- package/lib/core/AxiosError.js +13 -1
- package/lib/core/AxiosHeaders.js +10 -7
- package/lib/core/buildFullPath.js +29 -1
- package/lib/core/mergeConfig.js +35 -0
- package/lib/defaults/transitional.js +1 -0
- package/lib/env/data.js +1 -1
- package/lib/helpers/AxiosURLSearchParams.js +1 -3
- package/lib/helpers/buildURL.js +6 -3
- package/lib/helpers/composeSignals.js +1 -1
- package/lib/helpers/cookies.js +5 -1
- package/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
- package/lib/helpers/formDataToJSON.js +25 -3
- package/lib/helpers/fromDataURI.js +4 -2
- package/lib/helpers/resolveConfig.js +14 -7
- package/lib/helpers/shouldBypassProxy.js +33 -1
- package/lib/helpers/toFormData.js +47 -11
- package/lib/helpers/validator.js +1 -1
- package/lib/utils.js +75 -11
- package/package.json +2 -2
package/lib/env/data.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
export const VERSION = "1.
|
|
1
|
+
export const VERSION = "1.18.1";
|
|
@@ -46,9 +46,7 @@ prototype.append = function append(name, value) {
|
|
|
46
46
|
|
|
47
47
|
prototype.toString = function toString(encoder) {
|
|
48
48
|
const _encode = encoder
|
|
49
|
-
?
|
|
50
|
-
return encoder.call(this, value, encode);
|
|
51
|
-
}
|
|
49
|
+
? (value) => encoder.call(this, value, encode)
|
|
52
50
|
: encode;
|
|
53
51
|
|
|
54
52
|
return this._pairs
|
package/lib/helpers/buildURL.js
CHANGED
|
@@ -32,8 +32,7 @@ export default function buildURL(url, params, options) {
|
|
|
32
32
|
if (!params) {
|
|
33
33
|
return url;
|
|
34
34
|
}
|
|
35
|
-
|
|
36
|
-
const _encode = (options && options.encode) || encode;
|
|
35
|
+
url = url || '';
|
|
37
36
|
|
|
38
37
|
const _options = utils.isFunction(options)
|
|
39
38
|
? {
|
|
@@ -41,7 +40,11 @@ export default function buildURL(url, params, options) {
|
|
|
41
40
|
}
|
|
42
41
|
: options;
|
|
43
42
|
|
|
44
|
-
|
|
43
|
+
// Read serializer options pollution-safely: own properties and methods on a
|
|
44
|
+
// class/template prototype are honored, but values injected onto a polluted
|
|
45
|
+
// Object.prototype are ignored.
|
|
46
|
+
const _encode = utils.getSafeProp(_options, 'encode') || encode;
|
|
47
|
+
const serializeFn = utils.getSafeProp(_options, 'serialize');
|
|
45
48
|
|
|
46
49
|
let serializedParams;
|
|
47
50
|
|
|
@@ -45,7 +45,7 @@ const composeSignals = (signals, timeout) => {
|
|
|
45
45
|
signals = null;
|
|
46
46
|
};
|
|
47
47
|
|
|
48
|
-
signals.forEach((signal) => signal.addEventListener('abort', onabort));
|
|
48
|
+
signals.forEach((signal) => signal.addEventListener('abort', onabort, { once: true }));
|
|
49
49
|
|
|
50
50
|
const { signal } = controller;
|
|
51
51
|
|
package/lib/helpers/cookies.js
CHANGED
|
@@ -40,7 +40,11 @@ export default platform.hasStandardBrowserEnv
|
|
|
40
40
|
const cookie = cookies[i].replace(/^\s+/, '');
|
|
41
41
|
const eq = cookie.indexOf('=');
|
|
42
42
|
if (eq !== -1 && cookie.slice(0, eq) === name) {
|
|
43
|
-
|
|
43
|
+
try {
|
|
44
|
+
return decodeURIComponent(cookie.slice(eq + 1));
|
|
45
|
+
} catch (e) {
|
|
46
|
+
return cookie.slice(eq + 1);
|
|
47
|
+
}
|
|
44
48
|
}
|
|
45
49
|
}
|
|
46
50
|
return null;
|
|
@@ -2,11 +2,19 @@
|
|
|
2
2
|
* Estimate decoded byte length of a data:// URL *without* allocating large buffers.
|
|
3
3
|
* - For base64: compute exact decoded size using length and padding;
|
|
4
4
|
* handle %XX at the character-count level (no string allocation).
|
|
5
|
-
* - For non-base64:
|
|
5
|
+
* - For non-base64: compute the exact percent-decoded UTF-8 byte length.
|
|
6
6
|
*
|
|
7
7
|
* @param {string} url
|
|
8
8
|
* @returns {number}
|
|
9
9
|
*/
|
|
10
|
+
const isHexDigit = (charCode) =>
|
|
11
|
+
(charCode >= 48 && charCode <= 57) ||
|
|
12
|
+
(charCode >= 65 && charCode <= 70) ||
|
|
13
|
+
(charCode >= 97 && charCode <= 102);
|
|
14
|
+
|
|
15
|
+
const isPercentEncodedByte = (str, i, len) =>
|
|
16
|
+
i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
|
|
17
|
+
|
|
10
18
|
export default function estimateDataURLDecodedBytes(url) {
|
|
11
19
|
if (!url || typeof url !== 'string') return 0;
|
|
12
20
|
if (!url.startsWith('data:')) return 0;
|
|
@@ -26,9 +34,7 @@ export default function estimateDataURLDecodedBytes(url) {
|
|
|
26
34
|
if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
|
|
27
35
|
const a = body.charCodeAt(i + 1);
|
|
28
36
|
const b = body.charCodeAt(i + 2);
|
|
29
|
-
const isHex =
|
|
30
|
-
((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
|
|
31
|
-
((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
|
|
37
|
+
const isHex = isHexDigit(a) && isHexDigit(b);
|
|
32
38
|
|
|
33
39
|
if (isHex) {
|
|
34
40
|
effectiveLen -= 2;
|
|
@@ -69,18 +75,17 @@ export default function estimateDataURLDecodedBytes(url) {
|
|
|
69
75
|
return bytes > 0 ? bytes : 0;
|
|
70
76
|
}
|
|
71
77
|
|
|
72
|
-
if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
|
|
73
|
-
return Buffer.byteLength(body, 'utf8');
|
|
74
|
-
}
|
|
75
|
-
|
|
76
78
|
// Compute UTF-8 byte length directly from UTF-16 code units without allocating
|
|
77
79
|
// a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
|
|
78
|
-
//
|
|
79
|
-
//
|
|
80
|
+
// Valid %XX triplets count as one decoded byte; this matches the bytes that
|
|
81
|
+
// decodeURIComponent(body) would produce before Buffer re-encodes the string.
|
|
80
82
|
let bytes = 0;
|
|
81
83
|
for (let i = 0, len = body.length; i < len; i++) {
|
|
82
84
|
const c = body.charCodeAt(i);
|
|
83
|
-
if (c
|
|
85
|
+
if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
|
|
86
|
+
bytes += 1;
|
|
87
|
+
i += 2;
|
|
88
|
+
} else if (c < 0x80) {
|
|
84
89
|
bytes += 1;
|
|
85
90
|
} else if (c < 0x800) {
|
|
86
91
|
bytes += 2;
|
|
@@ -1,6 +1,19 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
3
|
import utils from '../utils.js';
|
|
4
|
+
import AxiosError from '../core/AxiosError.js';
|
|
5
|
+
import { DEFAULT_FORM_DATA_MAX_DEPTH } from './toFormData.js';
|
|
6
|
+
|
|
7
|
+
const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
|
|
8
|
+
|
|
9
|
+
function throwIfDepthExceeded(index) {
|
|
10
|
+
if (index > MAX_DEPTH) {
|
|
11
|
+
throw new AxiosError(
|
|
12
|
+
'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
|
|
13
|
+
AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
|
|
14
|
+
);
|
|
15
|
+
}
|
|
16
|
+
}
|
|
4
17
|
|
|
5
18
|
/**
|
|
6
19
|
* It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
|
|
@@ -14,9 +27,16 @@ function parsePropPath(name) {
|
|
|
14
27
|
// foo.x.y.z
|
|
15
28
|
// foo-x-y-z
|
|
16
29
|
// foo x y z
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
30
|
+
const path = [];
|
|
31
|
+
const pattern = /\w+|\[(\w*)]/g;
|
|
32
|
+
let match;
|
|
33
|
+
|
|
34
|
+
while ((match = pattern.exec(name)) !== null) {
|
|
35
|
+
throwIfDepthExceeded(path.length);
|
|
36
|
+
path.push(match[0] === '[]' ? '' : match[1] || match[0]);
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
return path;
|
|
20
40
|
}
|
|
21
41
|
|
|
22
42
|
/**
|
|
@@ -48,6 +68,8 @@ function arrayToObject(arr) {
|
|
|
48
68
|
*/
|
|
49
69
|
function formDataToJSON(formData) {
|
|
50
70
|
function buildPath(path, value, target, index) {
|
|
71
|
+
throwIfDepthExceeded(index);
|
|
72
|
+
|
|
51
73
|
let name = path[index++];
|
|
52
74
|
|
|
53
75
|
if (name === '__proto__') return true;
|
|
@@ -42,14 +42,16 @@ export default function fromDataURI(uri, asBlob, options) {
|
|
|
42
42
|
|
|
43
43
|
// RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII
|
|
44
44
|
// Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec.
|
|
45
|
-
let mime;
|
|
45
|
+
let mime = '';
|
|
46
46
|
if (type) {
|
|
47
47
|
mime = params ? type + params : type;
|
|
48
48
|
} else if (params) {
|
|
49
49
|
mime = 'text/plain' + params;
|
|
50
50
|
}
|
|
51
51
|
|
|
52
|
-
const buffer =
|
|
52
|
+
const buffer = encoding === 'base64'
|
|
53
|
+
? Buffer.from(body, 'base64')
|
|
54
|
+
: Buffer.from(decodeURIComponent(body), encoding);
|
|
53
55
|
|
|
54
56
|
if (asBlob) {
|
|
55
57
|
if (!_Blob) {
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import platform from '../platform/index.js';
|
|
2
2
|
import utils from '../utils.js';
|
|
3
|
+
import AxiosError from '../core/AxiosError.js';
|
|
3
4
|
import isURLSameOrigin from './isURLSameOrigin.js';
|
|
4
5
|
import cookies from './cookies.js';
|
|
5
6
|
import buildFullPath from '../core/buildFullPath.js';
|
|
@@ -15,7 +16,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
|
|
|
15
16
|
return;
|
|
16
17
|
}
|
|
17
18
|
|
|
18
|
-
Object.entries(formHeaders).forEach(([key, val]) => {
|
|
19
|
+
Object.entries(formHeaders || {}).forEach(([key, val]) => {
|
|
19
20
|
if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
|
|
20
21
|
headers.set(key, val);
|
|
21
22
|
}
|
|
@@ -55,18 +56,24 @@ function resolveConfig(config) {
|
|
|
55
56
|
newConfig.headers = headers = AxiosHeaders.from(headers);
|
|
56
57
|
|
|
57
58
|
newConfig.url = buildURL(
|
|
58
|
-
buildFullPath(baseURL, url, allowAbsoluteUrls),
|
|
59
|
+
buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
|
|
59
60
|
own('params'),
|
|
60
61
|
own('paramsSerializer')
|
|
61
62
|
);
|
|
62
63
|
|
|
63
64
|
// HTTP basic authentication
|
|
64
65
|
if (auth) {
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
66
|
+
const username = utils.getSafeProp(auth, 'username') || '';
|
|
67
|
+
const password = utils.getSafeProp(auth, 'password') || '';
|
|
68
|
+
|
|
69
|
+
try {
|
|
70
|
+
headers.set(
|
|
71
|
+
'Authorization',
|
|
72
|
+
'Basic ' + btoa(username + ':' + (password ? encodeUTF8(password) : ''))
|
|
73
|
+
);
|
|
74
|
+
} catch (e) {
|
|
75
|
+
throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
|
|
76
|
+
}
|
|
70
77
|
}
|
|
71
78
|
|
|
72
79
|
if (utils.isFormData(data)) {
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
const LOOPBACK_HOSTNAMES = new Set(['localhost']);
|
|
1
|
+
const LOOPBACK_HOSTNAMES = new Set(['localhost', '0.0.0.0']);
|
|
2
2
|
|
|
3
3
|
const isIPv4Loopback = (host) => {
|
|
4
4
|
const parts = host.split('.');
|
|
@@ -7,6 +7,37 @@ const isIPv4Loopback = (host) => {
|
|
|
7
7
|
return parts.every((p) => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255);
|
|
8
8
|
};
|
|
9
9
|
|
|
10
|
+
const isIPv6ZeroGroup = (group) => /^0{1,4}$/.test(group);
|
|
11
|
+
|
|
12
|
+
// The unspecified address (IPv4 0.0.0.0 / IPv6 ::) resolves to the local host
|
|
13
|
+
// for outbound connections, so treat it as loopback-equivalent for NO_PROXY
|
|
14
|
+
// matching. 0.0.0.0 is covered by LOOPBACK_HOSTNAMES; this handles compressed
|
|
15
|
+
// and full IPv6 all-zero forms so both families bypass symmetrically.
|
|
16
|
+
const isIPv6Unspecified = (host) => {
|
|
17
|
+
if (host === '::') return true;
|
|
18
|
+
|
|
19
|
+
const compressionIndex = host.indexOf('::');
|
|
20
|
+
|
|
21
|
+
if (compressionIndex !== -1) {
|
|
22
|
+
if (compressionIndex !== host.lastIndexOf('::')) return false;
|
|
23
|
+
|
|
24
|
+
const left = host.slice(0, compressionIndex);
|
|
25
|
+
const right = host.slice(compressionIndex + 2);
|
|
26
|
+
const leftGroups = left ? left.split(':') : [];
|
|
27
|
+
const rightGroups = right ? right.split(':') : [];
|
|
28
|
+
const explicitGroups = leftGroups.length + rightGroups.length;
|
|
29
|
+
|
|
30
|
+
return (
|
|
31
|
+
explicitGroups < 8 &&
|
|
32
|
+
leftGroups.every(isIPv6ZeroGroup) &&
|
|
33
|
+
rightGroups.every(isIPv6ZeroGroup)
|
|
34
|
+
);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
const groups = host.split(':');
|
|
38
|
+
return groups.length === 8 && groups.every(isIPv6ZeroGroup);
|
|
39
|
+
};
|
|
40
|
+
|
|
10
41
|
const isIPv6Loopback = (host) => {
|
|
11
42
|
// Collapse all-zero groups: any form of ::1 / 0:0:...:0:1
|
|
12
43
|
// First, strip any leading "::" by normalising with Set lookup of common forms,
|
|
@@ -42,6 +73,7 @@ const isLoopback = (host) => {
|
|
|
42
73
|
if (!host) return false;
|
|
43
74
|
if (LOOPBACK_HOSTNAMES.has(host)) return true;
|
|
44
75
|
if (isIPv4Loopback(host)) return true;
|
|
76
|
+
if (isIPv6Unspecified(host)) return true;
|
|
45
77
|
return isIPv6Loopback(host);
|
|
46
78
|
};
|
|
47
79
|
|
|
@@ -5,6 +5,10 @@ import AxiosError from '../core/AxiosError.js';
|
|
|
5
5
|
// temporary hotfix to avoid circular references until AxiosURLSearchParams is refactored
|
|
6
6
|
import PlatformFormData from '../platform/node/classes/FormData.js';
|
|
7
7
|
|
|
8
|
+
// Default nesting limit shared with the inverse transform (formDataToJSON) so
|
|
9
|
+
// the FormData <-> JSON round-trip stays symmetric.
|
|
10
|
+
export const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
|
|
11
|
+
|
|
8
12
|
/**
|
|
9
13
|
* Determines if the given thing is a array or js object.
|
|
10
14
|
*
|
|
@@ -115,8 +119,9 @@ function toFormData(obj, formData, options) {
|
|
|
115
119
|
const dots = options.dots;
|
|
116
120
|
const indexes = options.indexes;
|
|
117
121
|
const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
|
|
118
|
-
const maxDepth = options.maxDepth === undefined ?
|
|
122
|
+
const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
|
|
119
123
|
const useBlob = _Blob && utils.isSpecCompliantForm(formData);
|
|
124
|
+
const stack = [];
|
|
120
125
|
|
|
121
126
|
if (!utils.isFunction(visitor)) {
|
|
122
127
|
throw new TypeError('visitor must be a function');
|
|
@@ -138,12 +143,50 @@ function toFormData(obj, formData, options) {
|
|
|
138
143
|
}
|
|
139
144
|
|
|
140
145
|
if (utils.isArrayBuffer(value) || utils.isTypedArray(value)) {
|
|
141
|
-
|
|
146
|
+
if (useBlob && typeof _Blob === 'function') {
|
|
147
|
+
return new _Blob([value]);
|
|
148
|
+
}
|
|
149
|
+
if (typeof Buffer !== 'undefined') {
|
|
150
|
+
return Buffer.from(value);
|
|
151
|
+
}
|
|
152
|
+
throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
|
|
142
153
|
}
|
|
143
154
|
|
|
144
155
|
return value;
|
|
145
156
|
}
|
|
146
157
|
|
|
158
|
+
function throwIfMaxDepthExceeded(depth) {
|
|
159
|
+
if (depth > maxDepth) {
|
|
160
|
+
throw new AxiosError(
|
|
161
|
+
'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
|
|
162
|
+
AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
|
|
163
|
+
);
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
function stringifyWithDepthLimit(value, depth) {
|
|
168
|
+
if (maxDepth === Infinity) {
|
|
169
|
+
return JSON.stringify(value);
|
|
170
|
+
}
|
|
171
|
+
|
|
172
|
+
const ancestors = [];
|
|
173
|
+
|
|
174
|
+
return JSON.stringify(value, function limitDepth(_key, currentValue) {
|
|
175
|
+
if (!utils.isObject(currentValue)) {
|
|
176
|
+
return currentValue;
|
|
177
|
+
}
|
|
178
|
+
|
|
179
|
+
while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
|
|
180
|
+
ancestors.pop();
|
|
181
|
+
}
|
|
182
|
+
|
|
183
|
+
ancestors.push(currentValue);
|
|
184
|
+
throwIfMaxDepthExceeded(depth + ancestors.length - 1);
|
|
185
|
+
|
|
186
|
+
return currentValue;
|
|
187
|
+
});
|
|
188
|
+
}
|
|
189
|
+
|
|
147
190
|
/**
|
|
148
191
|
* Default visitor.
|
|
149
192
|
*
|
|
@@ -167,7 +210,7 @@ function toFormData(obj, formData, options) {
|
|
|
167
210
|
// eslint-disable-next-line no-param-reassign
|
|
168
211
|
key = metaTokens ? key : key.slice(0, -2);
|
|
169
212
|
// eslint-disable-next-line no-param-reassign
|
|
170
|
-
value =
|
|
213
|
+
value = stringifyWithDepthLimit(value, 1);
|
|
171
214
|
} else if (
|
|
172
215
|
(utils.isArray(value) && isFlatArray(value)) ||
|
|
173
216
|
((utils.isFileList(value) || utils.endsWith(key, '[]')) && (arr = utils.toArray(value)))
|
|
@@ -200,8 +243,6 @@ function toFormData(obj, formData, options) {
|
|
|
200
243
|
return false;
|
|
201
244
|
}
|
|
202
245
|
|
|
203
|
-
const stack = [];
|
|
204
|
-
|
|
205
246
|
const exposedHelpers = Object.assign(predicates, {
|
|
206
247
|
defaultVisitor,
|
|
207
248
|
convertValue,
|
|
@@ -211,12 +252,7 @@ function toFormData(obj, formData, options) {
|
|
|
211
252
|
function build(value, path, depth = 0) {
|
|
212
253
|
if (utils.isUndefined(value)) return;
|
|
213
254
|
|
|
214
|
-
|
|
215
|
-
throw new AxiosError(
|
|
216
|
-
'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
|
|
217
|
-
AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
|
|
218
|
-
);
|
|
219
|
-
}
|
|
255
|
+
throwIfMaxDepthExceeded(depth);
|
|
220
256
|
|
|
221
257
|
if (stack.indexOf(value) !== -1) {
|
|
222
258
|
throw new Error('Circular reference detected in ' + path.join('.'));
|
package/lib/helpers/validator.js
CHANGED
|
@@ -79,7 +79,7 @@ validators.spelling = function spelling(correctSpelling) {
|
|
|
79
79
|
*/
|
|
80
80
|
|
|
81
81
|
function assertOptions(options, schema, allowUnknown) {
|
|
82
|
-
if (typeof options !== 'object') {
|
|
82
|
+
if (typeof options !== 'object' || options === null) {
|
|
83
83
|
throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
|
|
84
84
|
}
|
|
85
85
|
const keys = Object.keys(options);
|
package/lib/utils.js
CHANGED
|
@@ -8,6 +8,57 @@ const { toString } = Object.prototype;
|
|
|
8
8
|
const { getPrototypeOf } = Object;
|
|
9
9
|
const { iterator, toStringTag } = Symbol;
|
|
10
10
|
|
|
11
|
+
/* Creating a function that will check if an object has a property. */
|
|
12
|
+
const hasOwnProperty = (
|
|
13
|
+
({ hasOwnProperty }) =>
|
|
14
|
+
(obj, prop) =>
|
|
15
|
+
hasOwnProperty.call(obj, prop)
|
|
16
|
+
)(Object.prototype);
|
|
17
|
+
|
|
18
|
+
/**
|
|
19
|
+
* Walk the prototype chain (excluding the shared Object.prototype) looking for
|
|
20
|
+
* an own `prop`. This distinguishes genuine own/inherited members — including
|
|
21
|
+
* class accessors and template prototypes — from members injected via
|
|
22
|
+
* Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
|
|
23
|
+
* live on Object.prototype itself and are therefore never matched.
|
|
24
|
+
*
|
|
25
|
+
* @param {*} thing The value whose chain to inspect
|
|
26
|
+
* @param {string|symbol} prop The property key to look for
|
|
27
|
+
*
|
|
28
|
+
* @returns {boolean} True when `prop` is owned below Object.prototype
|
|
29
|
+
*/
|
|
30
|
+
const hasOwnInPrototypeChain = (thing, prop) => {
|
|
31
|
+
let obj = thing;
|
|
32
|
+
const seen = [];
|
|
33
|
+
|
|
34
|
+
while (obj != null && obj !== Object.prototype) {
|
|
35
|
+
if (seen.indexOf(obj) !== -1) {
|
|
36
|
+
return false;
|
|
37
|
+
}
|
|
38
|
+
seen.push(obj);
|
|
39
|
+
|
|
40
|
+
if (hasOwnProperty(obj, prop)) {
|
|
41
|
+
return true;
|
|
42
|
+
}
|
|
43
|
+
obj = getPrototypeOf(obj);
|
|
44
|
+
}
|
|
45
|
+
return false;
|
|
46
|
+
};
|
|
47
|
+
|
|
48
|
+
/**
|
|
49
|
+
* Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
|
|
50
|
+
* properties and members inherited from a non-Object.prototype source (a class
|
|
51
|
+
* instance or template object) are honored; a value reachable only through a
|
|
52
|
+
* polluted Object.prototype is ignored and `undefined` is returned.
|
|
53
|
+
*
|
|
54
|
+
* @param {*} obj The source object
|
|
55
|
+
* @param {string|symbol} prop The property key to read
|
|
56
|
+
*
|
|
57
|
+
* @returns {*} The resolved value, or undefined when unsafe/absent
|
|
58
|
+
*/
|
|
59
|
+
const getSafeProp = (obj, prop) =>
|
|
60
|
+
obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
|
|
61
|
+
|
|
11
62
|
const kindOf = ((cache) => (thing) => {
|
|
12
63
|
const str = toString.call(thing);
|
|
13
64
|
return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
|
|
@@ -133,7 +184,7 @@ const isBoolean = (thing) => thing === true || thing === false;
|
|
|
133
184
|
* @returns {boolean} True if value is a plain Object, otherwise false
|
|
134
185
|
*/
|
|
135
186
|
const isPlainObject = (val) => {
|
|
136
|
-
if (
|
|
187
|
+
if (!isObject(val)) {
|
|
137
188
|
return false;
|
|
138
189
|
}
|
|
139
190
|
|
|
@@ -141,9 +192,12 @@ const isPlainObject = (val) => {
|
|
|
141
192
|
return (
|
|
142
193
|
(prototype === null ||
|
|
143
194
|
prototype === Object.prototype ||
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
195
|
+
getPrototypeOf(prototype) === null) &&
|
|
196
|
+
// Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
|
|
197
|
+
// Symbol.iterator as evidence the value is a tagged/iterable type rather
|
|
198
|
+
// than a plain object, while ignoring keys injected onto Object.prototype.
|
|
199
|
+
!hasOwnInPrototypeChain(val, toStringTag) &&
|
|
200
|
+
!hasOwnInPrototypeChain(val, iterator)
|
|
147
201
|
);
|
|
148
202
|
};
|
|
149
203
|
|
|
@@ -670,13 +724,6 @@ const toCamelCase = (str) => {
|
|
|
670
724
|
});
|
|
671
725
|
};
|
|
672
726
|
|
|
673
|
-
/* Creating a function that will check if an object has a property. */
|
|
674
|
-
const hasOwnProperty = (
|
|
675
|
-
({ hasOwnProperty }) =>
|
|
676
|
-
(obj, prop) =>
|
|
677
|
-
hasOwnProperty.call(obj, prop)
|
|
678
|
-
)(Object.prototype);
|
|
679
|
-
|
|
680
727
|
const { propertyIsEnumerable } = Object.prototype;
|
|
681
728
|
|
|
682
729
|
/**
|
|
@@ -890,6 +937,20 @@ const asap =
|
|
|
890
937
|
|
|
891
938
|
const isIterable = (thing) => thing != null && isFunction(thing[iterator]);
|
|
892
939
|
|
|
940
|
+
/**
|
|
941
|
+
* Determine if a value is iterable via an iterator that is NOT sourced solely
|
|
942
|
+
* from a polluted Object.prototype. Use this instead of `isIterable` whenever
|
|
943
|
+
* the iterable comes from untrusted input (e.g. user-supplied header sources),
|
|
944
|
+
* so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
|
|
945
|
+
* into an attacker-controlled entries iterator.
|
|
946
|
+
*
|
|
947
|
+
* @param {*} thing The value to test
|
|
948
|
+
*
|
|
949
|
+
* @returns {boolean} True if value has a non-polluted iterator
|
|
950
|
+
*/
|
|
951
|
+
const isSafeIterable = (thing) =>
|
|
952
|
+
thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
|
|
953
|
+
|
|
893
954
|
export default {
|
|
894
955
|
isArray,
|
|
895
956
|
isArrayBuffer,
|
|
@@ -934,6 +995,8 @@ export default {
|
|
|
934
995
|
isHTMLForm,
|
|
935
996
|
hasOwnProperty,
|
|
936
997
|
hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
|
|
998
|
+
hasOwnInPrototypeChain,
|
|
999
|
+
getSafeProp,
|
|
937
1000
|
reduceDescriptors,
|
|
938
1001
|
freezeMethods,
|
|
939
1002
|
toObjectSet,
|
|
@@ -950,4 +1013,5 @@ export default {
|
|
|
950
1013
|
setImmediate: _setImmediate,
|
|
951
1014
|
asap,
|
|
952
1015
|
isIterable,
|
|
1016
|
+
isSafeIterable,
|
|
953
1017
|
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "axios",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.18.1",
|
|
4
4
|
"description": "Promise based HTTP client for the browser and node.js",
|
|
5
5
|
"main": "./dist/node/axios.cjs",
|
|
6
6
|
"module": "./index.js",
|
|
@@ -87,8 +87,8 @@
|
|
|
87
87
|
"Martti Laine (https://github.com/codeclown)",
|
|
88
88
|
"Xianming Zhong (https://github.com/chinesedfan)",
|
|
89
89
|
"Shaan Majid (https://github.com/shaanmajid)",
|
|
90
|
-
"Willian Agostini (https://github.com/WillianAgostini)",
|
|
91
90
|
"Remco Haszing (https://github.com/remcohaszing)",
|
|
91
|
+
"Willian Agostini (https://github.com/WillianAgostini)",
|
|
92
92
|
"Rikki Gibson (https://github.com/RikkiGibson)"
|
|
93
93
|
],
|
|
94
94
|
"sideEffects": false,
|