From 84fe8b5ef9cd365ee305e6a0de85741e36fc5f65 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 18 Jan 2023 16:10:26 +0100 Subject: [PATCH] deps(node-fetch-npm): backport CVE-2022-0235 fix Signed-off-by: rpm-build --- .../node_modules/node-fetch-npm/src/index.js | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/deps/npm/node_modules/node-fetch-npm/src/index.js b/deps/npm/node_modules/node-fetch-npm/src/index.js index b2cf80f..14ea47c 100644 --- a/deps/npm/node_modules/node-fetch-npm/src/index.js +++ b/deps/npm/node_modules/node-fetch-npm/src/index.js @@ -21,6 +21,21 @@ const getNodeRequestOptions = Request.getNodeRequestOptions const FetchError = require('./fetch-error') const isURL = /^https?:/ +/** + * isDomainOrSubdomain reports whether sub is a subdomain (or exact match) of + * the parent domain. + * + * Both domains must already be in canonical form. + */ +const isDomainOrSubdomain = (destination, original) => { + const orig = original.hostname; + const dest = destination.hostname; + + return orig === dest || ( + orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest) + ); +}; + /** * Fetch function * @@ -97,8 +112,12 @@ function fetch (uri, opts) { } else { redirectURL = url.parse(res.headers.location) } - if (url.parse(request.url).hostname !== redirectURL.hostname) { - request.headers.delete('authorization') + + // CVE-2022-0235 + if (!isDomainOrSubdomain(url.parse(request.url), redirectURL)) { + for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) { + request.headers.delete(name) + } } // per fetch spec, for POST request with 301/302 response, or any request with 303 response, use GET when following redirect -- 2.39.0