Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)
Co-authored-by: DigitalBrainJS <robotshara@gmail.com>
  • Loading branch information
valentin-panov and DigitalBrainJS committed Oct 26, 2023
1 parent 7d45ab2 commit 96ee232
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions lib/adapters/xhr.js
Expand Up @@ -188,8 +188,8 @@ export default isXHRAdapterSupported && function (config) {
// Specifically not if we're in a web worker, or react-native.
if (platform.isStandardBrowserEnv) {
// Add xsrf header
const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
&& config.xsrfCookieName && cookies.read(config.xsrfCookieName);
// regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);

if (xsrfValue) {
requestHeaders.set(config.xsrfHeaderName, xsrfValue);
Expand Down
4 changes: 2 additions & 2 deletions test/specs/xsrf.spec.js
Expand Up @@ -67,15 +67,15 @@ describe('xsrf', function () {
});
});

it('should set xsrf header for cross origin when using withCredentials', function (done) {
it('should not set xsrf header for cross origin when using withCredentials', function (done) {
document.cookie = axios.defaults.xsrfCookieName + '=12345';

axios('http://example.com/', {
withCredentials: true
});

getAjaxRequest().then(function (request) {
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual('12345');
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
done();
});
});
Expand Down

0 comments on commit 96ee232

Please sign in to comment.