Hotfix: Prevent SSRF #3410
Hotfix: Prevent SSRF #3410
Conversation
Is |
@timemachine3030 Shared some suggestions with you. Thanks for your quick fixing. |
@timemachine3030 Can you say if this only affected 0.21.0 or prior versions as well? |
@ArSn Versions since 0.19.0, when proxy forwarding was added. The vulnerability is exclusive to Node.js applications making requests through proxy servers. |
Yeah I caught that, thanks! |
Sorry if this is not the right place to ask, but when is the fixed code going to be packaged and published on the NPM repo, so we can actually make use of it? When is the next npm version supposed to come out? |
Any update on when |
@jasonsaayman When will 0.21.1 tag be released ?Thanks |
@twistedpair, @kobe0730 I have asked Emily to get to this release so it is with her now, I will ask her if she will get to it this week and revert back. Thanks for your patience. |
|
@jasonsaayman @emilyemorehouse Sorry to ping but any updates on when we can expect v0.21.1 will be released? Given the CVSS score on this I'm about to breach security SLOs (and judging by the interest from others I am not the only one). Thanks! |
Hello, same issue with my company - could we please release soon ? It will be a nice christmas gift |
I have made hotfix/0.19.3 and hotfix/0.20.1 branches on my forked repo. Can you @jasonsaayman help me to create the two branches on the origin repo, so I can open up the pull requests? |
Fixes new axios security issue axios/axios#3410. Updates to client should also fix this: OADA/client#5
Updates axios and analytics-node to prevent SSRF vulnerability described here: axios/axios#3410
Updated Axios dependency to ^0.21.1, to avoid security issue, more details: axios/axios#3410
Fixes new axios security issue axios/axios#3410. Updates to client should also fix this: OADA/client#5
Updates axios and analytics-node to prevent SSRF vulnerability described here: axios/axios#3410
When i deploy to staging it all works perfectly, but to prod i get this: ```==> Running Command: npm ci && npm run prod && rm -rf node_modules npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see axios/axios#3410 npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1 added 1115 packages, and audited 1550 packages in 19s 48 packages are looking for funding run `npm fund` for details 7 vulnerabilities (3 low, 4 high) To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. npm ERR! missing script: prod npm ERR! A complete log of this run can be found in: npm ERR! /Users/necenzurat/.npm/_logs/2021-01-31T14_34_54_314Z-debug.log In Process.php line 267: The command "npm ci && npm run prod && rm -rf node_modules" failed. Exit Code: 1(General error) Working directory: /Users/necenzurat/Apps/webkit.ro/.vapor/build/app Output: ================ added 1115 packages, and audited 1550 packages in 19s 48 packages are looking for funding run `npm fund` for details 7 vulnerabilities (3 low, 4 high) To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. Error Output: ================ npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see axios/axios#3410 npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1 npm ERR! missing script: prod npm ERR! A complete log of this run can be found in: npm ERR! /Users/necenzurat/.npm/_logs/2021-01-31T14_34_54_314Z-debug.log``` it seems that somewhere npm run prod vanishes. it's the only fix i could find.
Fixes vulnerability described in:
Uses a hook in
follow-redirects
to continue using the proxy if a redirect is encountered.