Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 6689be4

Browse filesBrowse files
joshmgrossjoshmgross
authored
Merge pull request actions#237 from actions/joshmgross/audit-fix
Update `node-fetch`
2 parents 41e1ab4 + d526c04 commit 6689be4
Copy full SHA for 6689be4

File tree

3 files changed

+44
-10
lines changed
Filter options

3 files changed

+44
-10
lines changed

‎.licenses/npm/node-fetch.dep.yml

Copy file name to clipboardExpand all lines: .licenses/npm/node-fetch.dep.yml
+1-1Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎dist/index.js

Copy file name to clipboardExpand all lines: dist/index.js
+29-3Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7768,7 +7768,7 @@ Object.defineProperty(Response.prototype, Symbol.toStringTag, {
77687768
});
77697769

77707770
const INTERNALS$2 = Symbol('Request internals');
7771-
const URL = whatwgUrl.URL;
7771+
const URL = Url.URL || whatwgUrl.URL;
77727772

77737773
// fix an issue where "format", "parse" aren't a named export for node <10
77747774
const parse_url = Url.parse;
@@ -8031,9 +8031,17 @@ AbortError.prototype = Object.create(Error.prototype);
80318031
AbortError.prototype.constructor = AbortError;
80328032
AbortError.prototype.name = 'AbortError';
80338033

8034+
const URL$1 = Url.URL || whatwgUrl.URL;
8035+
80348036
// fix an issue where "PassThrough", "resolve" aren't a named export for node <10
80358037
const PassThrough$1 = Stream.PassThrough;
8036-
const resolve_url = Url.resolve;
8038+
8039+
const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
8040+
const orig = new URL$1(original).hostname;
8041+
const dest = new URL$1(destination).hostname;
8042+
8043+
return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
8044+
};
80378045

80388046
/**
80398047
* Fetch function
@@ -8121,7 +8129,19 @@ function fetch(url, opts) {
81218129
const location = headers.get('Location');
81228130

81238131
// HTTP fetch step 5.3
8124-
const locationURL = location === null ? null : resolve_url(request.url, location);
8132+
let locationURL = null;
8133+
try {
8134+
locationURL = location === null ? null : new URL$1(location, request.url).toString();
8135+
} catch (err) {
8136+
// error here can only be invalid URL in Location: header
8137+
// do not throw when options.redirect == manual
8138+
// let the user extract the errorneous redirect URL
8139+
if (request.redirect !== 'manual') {
8140+
reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
8141+
finalize();
8142+
return;
8143+
}
8144+
}
81258145

81268146
// HTTP fetch step 5.5
81278147
switch (request.redirect) {
@@ -8169,6 +8189,12 @@ function fetch(url, opts) {
81698189
size: request.size
81708190
};
81718191

8192+
if (!isDomainOrSubdomain(request.url, locationURL)) {
8193+
for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
8194+
requestOpts.headers.delete(name);
8195+
}
8196+
}
8197+
81728198
// HTTP-redirect fetch step 9
81738199
if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {
81748200
reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));

‎package-lock.json

Copy file name to clipboardExpand all lines: package-lock.json
+14-6Lines changed: 14 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.