[Security] Bump follow-redirects from 1.15.4 to 1.15.6 (!93) · Merge requests · tools / whereigo

Dependabot requested to merge dependabot-npm_and_yarn-follow-redirects-1.15.6 into master Mar 15, 2024

Bumps follow-redirects from 1.15.4 to 1.15.6. This update includes a security fix.

Vulnerabilities fixed

follow-redirects' Proxy-Authorization header kept across hosts When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require('axios');

axios.get('http://127.0.0.1:10081/',{ headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

... (truncated)

Patched versions: 1.15.6 Affected versions: <= 1.15.5

Commits

35a517c Release version 1.15.6 of the npm package.
c4f847f Drop Proxy-Authorization across hosts.
8526b4a Use GitHub for disclosure.
b1677ce Release version 1.15.5 of the npm package.
d8914f7 Preserve fragment in responseUrl.
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump follow-redirects from 1.15.4 to 1.15.6

Merge request reports