Skip to content

[Security] Bump follow-redirects from 1.15.4 to 1.15.6 in /webapp

Bumps follow-redirects from 1.15.4 to 1.15.6. This update includes a security fix.

Vulnerabilities fixed

follow-redirects' Proxy-Authorization header kept across hosts When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require('axios');

axios.get('http://127.0.0.1:10081/',{ headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

... (truncated)

Patched versions: 1.15.6 Affected versions: <= 1.15.5

Commits
  • 35a517c Release version 1.15.6 of the npm package.
  • c4f847f Drop Proxy-Authorization across hosts.
  • 8526b4a Use GitHub for disclosure.
  • b1677ce Release version 1.15.5 of the npm package.
  • d8914f7 Preserve fragment in responseUrl.
  • See full diff in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading