ADOP-2522: Bump axios, add now required typings to responses (#1576)

* ADOP-2522: Bump axios, add now required typings to responses * use axios.post instead of axios * ADOP-2522: Force codecept to use bumped axios version, bump webpack * ADOP-2522: Point at other PR for testing * Bump express * bump express * bump express * add resolution for serve-static * revert preview values to be back to normal!
hmcts · Sep 18, 2024 · 6a0e88e · 6a0e88e
1 parent f10db8a
commit 6a0e88e
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 81 deletions.
diff --git a/package.json b/package.json
@@ -76,15 +76,15 @@
     "accessible-autocomplete": "^2.0.4",
     "applicationinsights": "^2.5.1",
     "autobind-decorator": "^2.4.0",
-    "axios": "^0.27.2",
+    "axios": "^0.28.0",
     "config": "^3.3.7",
     "connect-redis": "^6.1.1",
     "cookie-parser": "^1.4.5",
     "csurf": "^1.11.0",
     "dayjs": "^1.11.3",
     "dotenv": "^16.4.5",
     "email-validator": "^2.0.4",
-    "express": "^4.18.1",
+    "express": "^4.21.0",
     "express-http-proxy": "^1.6.3",
     "express-session": "^1.17.3",
     "form-data": "^4.0.0",
@@ -164,7 +164,7 @@
     "ts-jest": "^28.0.4",
     "ts-loader": "^9.3.0",
     "webdriverio": "^7.19.7",
-    "webpack": "^5.79.0",
+    "webpack": "^5.94.0",
     "webpack-cli": "^4.9.2",
     "webpack-dev-middleware": "^5.3.3",
     "webpack-node-externals": "^3.0.0"
@@ -176,7 +176,10 @@
     "cookiejar": ">=2.1.4",
     "formidable": "^3.2.4",
     "semver": ">=7.5.2",
-    "ws": "^8.17.1"
+    "ws": "^8.17.1",
+    "codeceptjs/axios": "1.7.4",
+    "express": "^4.21.0",
+    "serve-static": "^1.16.0"
   },
   "packageManager": "[email protected]"
 }
diff --git a/playwright-e2e/helpers/idamTestApiHelpers.ts b/playwright-e2e/helpers/idamTestApiHelpers.ts
@@ -26,7 +26,7 @@ export async function getAccessToken(): Promise<string | null> {
       url: process.env.IDAM_TOKEN_URL as string,
     };
 
-    const response = await axios(options);
+    const response = await axios.post(options.url!, options.data, options);
     return response.data.access_token;
   } catch (error) {
     console.error('Error fetching access token:', error);
@@ -68,7 +68,7 @@ export async function createCitizenUser(token: string): Promise<{ email: string;
   };
 
   try {
-    const response = await axios(userCreationOptions);
+    const response = await axios.post(userCreationOptions.url!, userCreationOptions.data, userCreationOptions);
     console.log('User created:', response.data);
     return { email, password, id: response.data.id };
   } catch (error) {

diff --git a/src/main/app/case/CaseApi.ts b/src/main/app/case/CaseApi.ts
@@ -193,10 +193,10 @@ export class CaseApi {
 
   private logError(error: AxiosError) {
     if (error.response) {
-      this.logger.error(`API Error ${error.config.method} ${error.config.url} ${error.response.status}`);
+      this.logger.error(`API Error ${error.config?.method} ${error.config?.url} ${error.response.status}`);
       this.logger.info('Response: ', error.response.data);
     } else if (error.request) {
-      this.logger.error(`API Error ${error.config.method} ${error.config.url}`);
+      this.logger.error(`API Error ${error.config?.method} ${error.config?.url}`);
     } else {
       this.logger.error('API Error', error.message);
     }

diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
@@ -1 +1 @@
-{"actions":[],"advisories":{"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096484":{"findings":[{"version":"6.3.0","paths":["@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>@azure/opentelemetry-instrumentation-azure-sdk>@opentelemetry/instrumentation>semver","@hmcts/properties-volume>@azure/identity>@azure/msal-node>jsonwebtoken>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-02-14T14:58:49.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096484,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1096820":{"findings":[{"version":"4.18.1","paths":["express"]}],"metadata":null,"vulnerable_versions":"<4.19.2","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-rv95-896h-c2vc","cves":["CVE-2024-29041"],"access":"public","patched_versions":">=4.19.2","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-27T21:47:29.000Z","recommendation":"Upgrade to version 4.19.2 or later","cwe":["CWE-601","CWE-1286"],"found_by":null,"deleted":null,"id":1096820,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `[email protected]`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<=1.15.5","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","cves":["CVE-2024-28849"],"access":"public","patched_versions":">=1.15.6","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-04-02T17:54:22.000Z","recommendation":"Upgrade to version 1.15.6 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096856,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);\n```","url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":7,"high":0,"critical":0},"dependencies":318,"devDependencies":10,"optionalDependencies":0,"totalDependencies":328}}
+{"actions":[],"advisories":{},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":0,"critical":0},"dependencies":330,"devDependencies":4,"optionalDependencies":0,"totalDependencies":334}}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"actions":[],"advisories":{"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096484":{"findings":[{"version":"6.3.0","paths":["@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>@azure/opentelemetry-instrumentation-azure-sdk>@opentelemetry/instrumentation>semver","@hmcts/properties-volume>@azure/identity>@azure/msal-node>jsonwebtoken>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-02-14T14:58:49.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096484,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1096820":{"findings":[{"version":"4.18.1","paths":["express"]}],"metadata":null,"vulnerable_versions":"<4.19.2","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-rv95-896h-c2vc","cves":["CVE-2024-29041"],"access":"public","patched_versions":">=4.19.2","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-03-27T21:47:29.000Z","recommendation":"Upgrade to version 4.19.2 or later","cwe":["CWE-601","CWE-1286"],"found_by":null,"deleted":null,"id":1096820,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `[email protected]`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<=1.15.5","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","cves":["CVE-2024-28849"],"access":"public","patched_versions":">=1.15.6","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-04-02T17:54:22.000Z","recommendation":"Upgrade to version 1.15.6 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096856,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization\|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization\|proxy-authorization\|cookie)$/i, this._options.headers);\n```","url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":7,"high":0,"critical":0},"dependencies":318,"devDependencies":10,"optionalDependencies":0,"totalDependencies":328}}
		{"actions":[],"advisories":{},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":0,"critical":0},"dependencies":330,"devDependencies":4,"optionalDependencies":0,"totalDependencies":334}}