[Security] Bump follow-redirects from 1.15.5 to 1.15.6
Bumps follow-redirects from 1.15.5 to 1.15.6. This update includes a security fix.
Vulnerabilities fixed
follow-redirects' Proxy-Authorization header kept across hosts When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
axios Test Code
const axios = require('axios');
axios.get('http://127.0.0.1:10081/',{ headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Request sent by axios
... (truncated)
Patched versions: 1.15.6 Affected versions: <= 1.15.5
Commits
-
35a517c
Release version 1.15.6 of the npm package. -
c4f847f
Drop Proxy-Authorization across hosts. -
8526b4a
Use GitHub for disclosure. - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts