Merge pull request #208 from axios/v1.x

Create a new pull request by comparing changes across two branches
javascript-indonesias · Jan 3, 2024 · 62afb94 · 62afb94
2 parents 496d63b + 8790b8e
commit 62afb94
Show file tree

Hide file tree

Showing 22 changed files with 90 additions and 35 deletions.
diff --git a/.github/workflows/notify.yml b/.github/workflows/notify.yml
@@ -7,15 +7,22 @@ on:
   #    - completed
   #repository_dispatch:
   #  types: [ notify ]
-  release:
-    types: [ published ]
+  #release:
+  #  types: [published]
+  # branches:
+  #    - main
+  #    - 'v**'
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
     branches:
       - main
       - 'v**'
+
   workflow_dispatch:
     inputs:
       tag:
-        required: true
+        required: false
 jobs:
   notify:
     runs-on: ubuntu-latest

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## [1.6.4](https://github.com/axios/axios/compare/v1.6.3...v1.6.4) (2024-01-03)
+
+
+### Bug Fixes
+
+* **security:** fixed formToJSON prototype pollution vulnerability; ([#6167](https://github.com/axios/axios/issues/6167)) ([3c0c11c](https://github.com/axios/axios/commit/3c0c11cade045c4412c242b5727308cff9897a0e))
+* **security:** fixed security vulnerability in follow-redirects ([#6163](https://github.com/axios/axios/issues/6163)) ([75af1cd](https://github.com/axios/axios/commit/75af1cdff5b3a6ca3766d3d3afbc3115bb0811b8))
+
+### Contributors to this release
+
+- <img src="https://avatars.githubusercontent.com/u/4814473?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Jay](https://github.com/jasonsaayman "+34/-6 ()")
+- <img src="https://avatars.githubusercontent.com/u/12586868?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+34/-3 (#6172 #6167 )")
+- <img src="https://avatars.githubusercontent.com/u/1402060?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Guy Nesher](https://github.com/gnesher "+10/-10 (#6163 )")
+
 ## [1.6.3](https://github.com/axios/axios/compare/v1.6.2...v1.6.3) (2023-12-26)
 
 

diff --git a/README.md b/README.md
@@ -24,8 +24,8 @@
   <a href="https://stytch.com?utm_source=oss-sponsorship&utm_medium=paid_sponsorship&utm_content=logo&utm_campaign=axios-http">
     <picture>
       <source width="200px" media="(prefers-color-scheme: dark)" srcset="https://github.com/axios/axios/assets/4814473/538d715a-13c7-4668-ae7d-37a4548423f4">
-      <source width="200px" media="(prefers-color-scheme: light)" srcset="https://github.com/axios/axios/assets/4814473/538d715a-13c7-4668-ae7d-37a4548423f4">
-      <img width="200px" src="https://github.com/axios/axios/assets/4814473/538d715a-13c7-4668-ae7d-37a4548423f4" />
+      <source width="200px" media="(prefers-color-scheme: light)" srcset="https://github.com/axios/axios/assets/4814473/b6a9a7bc-9fb1-4b9b-909f-1b4bee1fd142">
+      <img width="200px" src="https://github.com/axios/axios/assets/4814473/b6a9a7bc-9fb1-4b9b-909f-1b4bee1fd142" />
     </picture>
   </a>
    <p align="center">API-first authentication, authorization, and fraud prevention</p>

diff --git a/bower.json b/bower.json
@@ -1,7 +1,7 @@
 {
   "name": "axios",
   "main": "./dist/axios.js",
-  "version": "1.6.3",
+  "version": "1.6.4",
   "homepage": "https://axios-http.com",
   "authors": [
     "Matt Zabriskie"

diff --git a/dist/axios.js b/dist/axios.js
diff --git a/dist/axios.js.map b/dist/axios.js.map
diff --git a/dist/axios.min.js b/dist/axios.min.js
diff --git a/dist/axios.min.js.map b/dist/axios.min.js.map
diff --git a/dist/browser/axios.cjs b/dist/browser/axios.cjs
@@ -1,4 +1,4 @@
-// Axios v1.6.3 Copyright (c) 2023 Matt Zabriskie and contributors
+// Axios v1.6.4 Copyright (c) 2024 Matt Zabriskie and contributors
 'use strict';
 
 function bind(fn, thisArg) {
@@ -1352,6 +1352,9 @@ function arrayToObject(arr) {
 function formDataToJSON(formData) {
   function buildPath(path, value, target, index) {
     let name = path[index++];
+
+    if (name === '__proto__') return true;
+
     const isNumericKey = Number.isFinite(+name);
     const isLast = index >= path.length;
     name = !name && utils$1.isArray(target) ? target.length : name;
@@ -2655,7 +2658,7 @@ function mergeConfig(config1, config2) {
   return config;
 }
 
-const VERSION = "1.6.3";
+const VERSION = "1.6.4";
 
 const validators$1 = {};
 

diff --git a/dist/browser/axios.cjs.map b/dist/browser/axios.cjs.map
diff --git a/dist/esm/axios.js b/dist/esm/axios.js
diff --git a/dist/esm/axios.js.map b/dist/esm/axios.js.map
diff --git a/dist/esm/axios.min.js b/dist/esm/axios.min.js
diff --git a/dist/esm/axios.min.js.map b/dist/esm/axios.min.js.map
diff --git a/dist/node/axios.cjs b/dist/node/axios.cjs
@@ -1,4 +1,4 @@
-// Axios v1.6.3 Copyright (c) 2023 Matt Zabriskie and contributors
+// Axios v1.6.4 Copyright (c) 2024 Matt Zabriskie and contributors
 'use strict';
 
 const FormData$1 = require('form-data');
@@ -1368,6 +1368,9 @@ function arrayToObject(arr) {
 function formDataToJSON(formData) {
   function buildPath(path, value, target, index) {
     let name = path[index++];
+
+    if (name === '__proto__') return true;
+
     const isNumericKey = Number.isFinite(+name);
     const isLast = index >= path.length;
     name = !name && utils$1.isArray(target) ? target.length : name;
@@ -2019,7 +2022,7 @@ function buildFullPath(baseURL, requestedURL) {
   return requestedURL;
 }
 
-const VERSION = "1.6.3";
+const VERSION = "1.6.4";
 
 function parseProtocol(url) {
   const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url);

diff --git a/dist/node/axios.cjs.map b/dist/node/axios.cjs.map
diff --git a/lib/env/data.js b/lib/env/data.js
@@ -1 +1 @@
-export const VERSION = "1.6.3";
+export const VERSION = "1.6.4";
diff --git a/lib/helpers/formDataToJSON.js b/lib/helpers/formDataToJSON.js
@@ -49,6 +49,9 @@ function arrayToObject(arr) {
 function formDataToJSON(formData) {
   function buildPath(path, value, target, index) {
     let name = path[index++];
+
+    if (name === '__proto__') return true;
+
     const isNumericKey = Number.isFinite(+name);
     const isLast = index >= path.length;
     name = !name && utils.isArray(target) ? target.length : name;

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "axios",
-  "version": "1.6.3",
+  "version": "1.6.4",
   "description": "Promise based HTTP client for the browser and node.js",
   "main": "index.js",
   "exports": {
@@ -146,7 +146,7 @@
   "unpkg": "dist/axios.min.js",
   "typings": "./index.d.ts",
   "dependencies": {
-    "follow-redirects": "^1.15.0",
+    "follow-redirects": "^1.15.4",
     "form-data": "^4.0.0",
     "proxy-from-env": "^1.1.0"
   },

diff --git a/test/specs/helpers/formDataToJSON.spec.js b/test/specs/helpers/formDataToJSON.spec.js
@@ -47,4 +47,25 @@ describe('formDataToJSON', function () {
       foo: ['1', '2']
     });
   });
+
+  it('should resist prototype pollution CVE', () => {
+    const formData = new FormData();
+
+    formData.append('foo[0]', '1');
+    formData.append('foo[1]', '2');
+    formData.append('__proto__.x', 'hack');
+    formData.append('constructor.prototype.y', 'value');
+
+    expect(formDataToJSON(formData)).toEqual({
+      foo: ['1', '2'],
+      constructor: {
+        prototype: {
+          y: 'value'
+        }
+      }
+    });
+
+    expect({}.x).toEqual(undefined);
+    expect({}.y).toEqual(undefined);
+  });
 });
diff --git a/test/unit/adapters/http.js b/test/unit/adapters/http.js
@@ -385,7 +385,7 @@ describe('supports http with nodejs', function () {
           }
         }
       }).catch(function (error) {
-        assert.equal(error.message, 'Provided path is not allowed');
+        assert.equal(error.message, 'Redirected request failed: Provided path is not allowed');
         done();
       }).catch(done);
     });