urllib 2.43.0 → 2.44.1

package/lib/index.d.ts

@@ -32,7 +32,7 @@ export interface RequestOptions {
   writeStream?: Writable;
   /** consume the writeStream, invoke the callback after writeStream close. */
   consumeWriteStream?: boolean;
-  /** 
+  /**
     * The files will send with multipart/form-data format, base on formstream.
     * If method not set, will use POST method by default.
     */
@@ -130,7 +130,7 @@ export interface RequestOptions {
    * It receive two arguments(ip and family) and should return true or false to identified the address is legal or not.
    * It rely on lookup and have the same version requirement.
    */
-  checkAddress?: (ip: string, family: number | string) => boolean;
+  checkAddress?: (ip: string, family: number | string, hostname: string) => boolean;
   /**
    * UNIX domain socket path. (Windows is not supported)
    */

package/lib/urllib.js

@@ -66,6 +66,71 @@ var TEXT_DATA_TYPES = [
 
 var PROTO_RE = /^https?:\/\//i;
 
+// Credential-bearing headers that must not be forwarded across an origin
+// boundary when following a redirect, to avoid leaking them to a third party.
+var CROSS_ORIGIN_SENSITIVE_HEADERS = [ 'authorization', 'cookie', 'proxy-authorization' ];
+
+// Build an absolute href good enough to compute the origin. `currentUrl` may be
+// a parsed URL object (with href) or an http options-style object built from
+// { host/hostname, port, path }, which has no href.
+function resolveOriginHref(currentUrl) {
+  if (currentUrl.href) {
+    return currentUrl.href;
+  }
+  var host = currentUrl.host || currentUrl.hostname;
+  if (!host) {
+    return null;
+  }
+  var protocol = currentUrl.protocol || 'http:';
+  if (protocol.charAt(protocol.length - 1) !== ':') {
+    protocol += ':';
+  }
+  if (currentUrl.port && String(host).indexOf(':') === -1) {
+    host += ':' + currentUrl.port;
+  }
+  return protocol + '//' + host + (currentUrl.path || currentUrl.pathname || '/');
+}
+
+function isCrossOriginRedirect(currentUrl, toUrl) {
+  try {
+    var fromHref = resolveOriginHref(currentUrl);
+    if (!fromHref) {
+      // origin cannot be determined: fail closed
+      return true;
+    }
+    if (URL) {
+      return new URL(fromHref).origin !== new URL(toUrl, fromHref).origin;
+    }
+    // Fallback for runtimes without the WHATWG URL global.
+    // urlutil.parse does not normalize default ports, so compare protocol +
+    // hostname + normalized port instead of the raw `host`.
+    var from = urlutil.parse(fromHref);
+    var to = urlutil.parse(urlutil.resolve(fromHref, toUrl));
+    var fromPort = from.port || (from.protocol === 'https:' ? '443' : '80');
+    var toPort = to.port || (to.protocol === 'https:' ? '443' : '80');
+    return from.protocol !== to.protocol || from.hostname !== to.hostname || fromPort !== toPort;
+  } catch (err) {
+    // Fail closed: if the origin cannot be determined, treat it as cross-origin
+    // so credentials are stripped rather than leaked.
+    return true;
+  }
+}
+
+function cleanCrossOriginHeaders(headers, sensitive) {
+  var list = sensitive || CROSS_ORIGIN_SENSITIVE_HEADERS;
+  var cleaned = {};
+  if (headers) {
+    var names = utility.getOwnEnumerables(headers, true);
+    for (var i = 0; i < names.length; i++) {
+      var name = names[i];
+      if (list.indexOf(name.toLowerCase()) === -1) {
+        cleaned[name] = headers[name];
+      }
+    }
+  }
+  return cleaned;
+}
+
 // Keep-Alive: timeout=5, max=100
 var KEEP_ALIVE_RE = /^timeout=(\d+)/i;
 
@@ -276,7 +341,7 @@ function requestWithCallback(url, args, callback) {
     lookup = function(host, dnsopts, callback) {
       _lookup(host, dnsopts, function emitLookup(err, ip, family) {
         // add check address logic in custom dns lookup
-        if (!err && !args.checkAddress(ip, family)) {
+        if (!err && !args.checkAddress(ip, family, host)) {
           err = new Error('illegal address');
           err.name = 'IllegalAddressError';
           err.hostname = host;
@@ -688,6 +753,24 @@ function requestWithCallback(url, args, callback) {
           options.headers.host = null;
           args.headers = options.headers;
         }
+        // do not forward credential-bearing headers / auth to a different origin
+        if (isCrossOriginRedirect(parsedUrl, newUrl)) {
+          // Clone so this redirect-specific sanitization never corrupts the
+          // caller's reusable options object.
+          var redirectArgs = Object.assign({}, args);
+          var sensitiveHeaders = CROSS_ORIGIN_SENSITIVE_HEADERS;
+          if (proxyTunnelAgent) {
+            // Proxy-Authorization authenticates the (unchanged) proxy hop, not
+            // the redirected origin, so keep it when the request is proxied.
+            sensitiveHeaders = sensitiveHeaders.filter(function (name) {
+              return name !== 'proxy-authorization';
+            });
+          }
+          redirectArgs.headers = cleanCrossOriginHeaders(args.headers || options.headers, sensitiveHeaders);
+          redirectArgs.auth = null;
+          redirectArgs.digestAuth = null;
+          args = redirectArgs;
+        }
         // avoid done will be execute in the future change.
         var cb = callback;
         callback = null;
@@ -1017,7 +1100,7 @@ function requestWithCallback(url, args, callback) {
       family = 6;
     }
     if (family) {
-      if (!args.checkAddress(hostname, family)) {
+      if (!args.checkAddress(hostname, family, hostname)) {
         var err = new Error('illegal address');
         err.name = 'IllegalAddressError';
         err.hostname = hostname;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "urllib",
-  "version": "2.43.0",
+  "version": "2.44.1",
   "publishConfig": {
     "tag": "latest-2"
   },