Follow-redirects is a handy npm package providing HTTP and HTTPS modules with built-in redirect handling, simplifying web request management for developers. Comparing version 1.0.0 with the previous stable version 0.3.0 reveals subtle but potentially impactful changes. Both versions share the same core functionality and description, ensuring a consistent experience for users relying on redirect following. The primary dependency, "debug," remains consistent across both versions, utilizing "^2.2.0".
However, a crucial difference lies in the development dependencies. Version 0.3.0 includes "semver": "^5.3.0", which is absent in version 1.0.0. This suggests a shift in development or testing strategies between releases. Semver is often used for version comparison and management, implying its removal might indicate a change in how versions are handled internally during the development lifecycle. Both version have xo, nyc, mocha, express, bluebird, coveralls, and concat-stream as dev dependencies which shows a clear focus on code quality and testing for the project.
Developers considering an upgrade should evaluate whether their workflow depends on the semver package indirectly used as a development dependency and consider the potential effect of its removal. Both releases are licensed under MIT, ensuring open-source usage and modification. Given the relatively minor changes judging by the dev dependencies, upgrading to version 1.0.0 is likely seamless for most users, but developers are encouraged to audit their own projects to ensure comprehensive compatibility.
All the vulnerabilities related to the version 1.0.0 of the package
Exposure of sensitive information in follow-redirects
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Follow Redirects improperly handles URLs in the url.parse() function
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
follow-redirects' Proxy-Authorization header kept across hosts
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
This vulnerability may lead to credentials leak.
Remove proxy-authentication header during cross-domain redirect
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);