Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hotfix: Prevent SSRF #3410

Merged
merged 6 commits into from Nov 24, 2020
Merged

Hotfix: Prevent SSRF #3410

merged 6 commits into from Nov 24, 2020

Conversation

@timemachine3030
Copy link
Contributor

@timemachine3030 timemachine3030 commented Nov 13, 2020

Fixes vulnerability described in:

Uses a hook in follow-redirects to continue using the proxy if a redirect is encountered.

@jasonsaayman jasonsaayman added this to the v0.21.1 milestone Nov 20, 2020
@udaykor
Copy link

@udaykor udaykor commented Nov 22, 2020

Is v0.21.1 free of SSRF?

Copy link
Collaborator

@chinesedfan chinesedfan left a comment

@timemachine3030 Shared some suggestions with you. Thanks for your quick fixing.

lib/adapters/http.js Outdated Show resolved Hide resolved
lib/adapters/http.js Outdated Show resolved Hide resolved
lib/adapters/http.js Outdated Show resolved Hide resolved
@jasonsaayman jasonsaayman merged commit c7329fe into axios:master Nov 24, 2020
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@ArSn
Copy link

@ArSn ArSn commented Nov 24, 2020

@timemachine3030 Can you say if this only affected 0.21.0 or prior versions as well?

@timemachine3030
Copy link
Contributor Author

@timemachine3030 timemachine3030 commented Nov 24, 2020

@ArSn Versions since 0.19.0, when proxy forwarding was added.

The vulnerability is exclusive to Node.js applications making requests through proxy servers.

@ArSn
Copy link

@ArSn ArSn commented Nov 24, 2020

Yeah I caught that, thanks!

@dobriai
Copy link

@dobriai dobriai commented Dec 3, 2020

Sorry if this is not the right place to ask, but when is the fixed code going to be packaged and published on the NPM repo, so we can actually make use of it? When is the next npm version supposed to come out?

@twistedpair
Copy link

@twistedpair twistedpair commented Dec 10, 2020

Any update on when 0.21.1 tag will will be cut, @jasonsaayman ? We're still waiting on this fix. Thanks!

@kobe0730
Copy link

@kobe0730 kobe0730 commented Dec 14, 2020

@jasonsaayman When will 0.21.1 tag be released ?Thanks

@jasonsaayman
Copy link
Collaborator

@jasonsaayman jasonsaayman commented Dec 14, 2020

@twistedpair, @kobe0730 I have asked Emily to get to this release so it is with her now, I will ask her if she will get to it this week and revert back. Thanks for your patience.

@kobe0730
Copy link

@kobe0730 kobe0730 commented Dec 15, 2020

@twistedpair, @kobe0730 I have asked Emily to get to this release so it is with her now, I will ask her if she will get to it this week and revert back. Thanks for your patience.
Thanks

@martywins
Copy link

@martywins martywins commented Dec 21, 2020

@jasonsaayman @emilyemorehouse Sorry to ping but any updates on when we can expect v0.21.1 will be released? Given the CVSS score on this I'm about to breach security SLOs (and judging by the interest from others I am not the only one). Thanks!

@benjoz
Copy link

@benjoz benjoz commented Dec 21, 2020

Hello, same issue with my company - could we please release soon ? It will be a nice christmas gift 🙏
Thanks !

rcarmo added a commit to rcarmo/node-red-admin that referenced this pull request Dec 22, 2020
@lhtin
Copy link

@lhtin lhtin commented Jan 8, 2021

I have made hotfix/0.19.3 and hotfix/0.20.1 branches on my forked repo. Can you @jasonsaayman help me to create the two branches on the origin repo, so I can open up the pull requests?

aaron97neu added a commit to oats-center/isoblue-avena that referenced this pull request Jan 11, 2021
Fixes new axios security issue axios/axios#3410.
Updates to client should also fix this: OADA/client#5
wilt00 added a commit to wilt00/expo-cli that referenced this pull request Jan 17, 2021
Updates axios and analytics-node to prevent SSRF vulnerability described
here: axios/axios#3410
ivankhm added a commit to ivankhm/mailchimp-transactional-node that referenced this pull request Jan 18, 2021
Updated Axios dependency to ^0.21.1, to avoid security issue, more details: axios/axios#3410
aaron97neu added a commit to oats-center/isoblue-avena that referenced this pull request Jan 19, 2021
Fixes new axios security issue axios/axios#3410.
Updates to client should also fix this: OADA/client#5
EvanBacon pushed a commit to expo/expo-cli that referenced this pull request Jan 27, 2021
Updates axios and analytics-node to prevent SSRF vulnerability described
here: axios/axios#3410
necenzurat added a commit to necenzurat/vapor-cli that referenced this pull request Jan 31, 2021
When i deploy to staging it all works perfectly, but to prod i get this:
```==> Running Command: npm ci && npm run prod && rm -rf node_modules
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see axios/axios#3410
npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1

added 1115 packages, and audited 1550 packages in 19s

48 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (3 low, 4 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
npm ERR! missing script: prod

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/necenzurat/.npm/_logs/2021-01-31T14_34_54_314Z-debug.log

In Process.php line 267:
                                                                                                                                                          
  The command "npm ci && npm run prod && rm -rf node_modules" failed.                                                                                     
                                                                                                                                                          
  Exit Code: 1(General error)                                                                                                                             
                                                                                                                                                          
  Working directory: /Users/necenzurat/Apps/webkit.ro/.vapor/build/app                                                                                    
                                                                                                                                                          
  Output:                                                                                                                                                 
  ================                                                                                                                                        
                                                                                                                                                          
  added 1115 packages, and audited 1550 packages in 19s                                                                                                   
                                                                                                                                                          
  48 packages are looking for funding                                                                                                                     
    run `npm fund` for details                                                                                                                            
                                                                                                                                                          
  7 vulnerabilities (3 low, 4 high)                                                                                                                       
                                                                                                                                                          
  To address all issues (including breaking changes), run:                                                                                                
    npm audit fix --force                                                                                                                                 
                                                                                                                                                          
  Run `npm audit` for details.                                                                                                                            
                                                                                                                                                          
                                                                                                                                                          
  Error Output:                                                                                                                                           
  ================                                                                                                                                        
  npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated                                                                    
  npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated                                                                 
  npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.                    
  npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.                               
  npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see axios/axios#3410  
  npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1                      
  npm ERR! missing script: prod                                                                                                                           
                                                                                                                                                          
  npm ERR! A complete log of this run can be found in:                                                                                                    
  npm ERR!     /Users/necenzurat/.npm/_logs/2021-01-31T14_34_54_314Z-debug.log```

it seems that somewhere npm run prod vanishes. it's the only fix i could find.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
v0.21.1
Awaiting triage
Linked issues

Successfully merging this pull request may close these issues.