Follow-redirects is a lightweight npm package providing enhanced HTTP and HTTPS modules capable of seamlessly handling redirects. Version 0.0.7, released on September 10, 2015, builds upon the foundation of version 0.0.6, released on July 4, 2015, with a notable addition: the "stream-consume" dependency. This inclusion is significant for developers working with streams, as it likely enhances the library's ability to efficiently manage and process data streams during redirect scenarios. Both versions share core functionality, including dependencies like "debug" for logging and development tools like "jscs," "mocha," and "jshint" for code quality and testing. They also utilize "semver" for version management, "express" for potential testing server setups, "bluebird" for promise handling, and various code coverage and reporting tools. The MIT license ensures flexible usage and modification. The package allows developers to easily manage HTTP and HTTPS redirects. Version 0.0.7 could potentially provide more robust stream handling capabilities due to the inclusion of the "stream-consume" dependency, making it advisable for projects involving substantial data streaming during redirects for better performance and stability.
All the vulnerabilities related to the version 0.0.7 of the package
Exposure of sensitive information in follow-redirects
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Follow Redirects improperly handles URLs in the url.parse() function
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
follow-redirects' Proxy-Authorization header kept across hosts
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
This vulnerability may lead to credentials leak.
Remove proxy-authentication header during cross-domain redirect
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);