Follow-redirects is a crucial library for Node.js developers, streamlining HTTP and HTTPS requests by automatically handling redirects. Version 1.2.6 builds upon the solid foundation of version 1.2.5, presenting some key differences for developers to consider. The primary upgrade lies in its dependency on the "debug" package, moving from version 2.6.9 to a more recent "^3.1.0". This update likely incorporates enhanced debugging capabilities, potentially offering more detailed insights into request flows and redirect behavior, aiding in troubleshooting and optimizing application performance. Another notable change resides in the development dependencies, specifically the update of "nyc" from version 10.0.0 to version 11.3.0, and "mocha" from version 3.2.0 to version 4.0.1 and "coveralls" from version 2.11.15 to 3.0.0. These changes don't effect the final code but show that the project is being actively maintained, with tests being consistently updated.
Both versions maintain the same core functionality and MIT license, ensuring broad usability across projects. They share identical "xo", "express", "bluebird", and "concat-stream" development dependencies, indicating a stable development environment overall. The author's information and repository details remain consistent, affirming the project's established origin and maintainership. Developers already familiar with follow-redirects will find version 1.2.6 a straightforward upgrade, while those new to the library can confidently leverage either version for simplified redirect handling in their applications. Ultimately, the choice depends on individual project needs and any specific requirements tied to the updated "debug" package.
All the vulnerabilities related to the version 1.2.6 of the package
Exposure of sensitive information in follow-redirects
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Follow Redirects improperly handles URLs in the url.parse() function
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
follow-redirects' Proxy-Authorization header kept across hosts
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
This vulnerability may lead to credentials leak.
Remove proxy-authentication header during cross-domain redirect
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);