Skip to content
This repository has been archived by the owner on Jun 29, 2023. It is now read-only.

global axios.interceptors is vulnerable #3

Closed
Skn0tt opened this issue Mar 6, 2023 · 2 comments · Fixed by #4
Closed

global axios.interceptors is vulnerable #3

Skn0tt opened this issue Mar 6, 2023 · 2 comments · Fixed by #4

Comments

@Skn0tt
Copy link
Contributor

Skn0tt commented Mar 6, 2023

Hi there! I'm a big fan of what the Digital Service is doing, and was browsing through the code out of interest.

In

useid-eservice-sdk/src/UseIdAPI.ts

Line 11 in 7e8906d

axios.interceptors.request.use(config => {
, and I think in some other places as well, you're using axios.interceptors.request.use from the global axios import. This injects your API Key into the global axios namespace, and it'll also be added onto other axios requests. This includes requests that are made inside other packages that also use axios, and could result in API Keys being sent to endpoints that it shouldn't be sent to. It also breaks if a package consuming the SDK is also using the global interceptors.

To fix it, I'd recommend to use an Axios Instances. It achieves exactly what you're looking for, and doesn't suffer from the same global-namespace problem.
@mpanne
Copy link
Contributor

mpanne commented Mar 6, 2023
edited
Loading

Hi @Skn0tt, thank you for your interest in the project and for pointing out this issue. We will look into it and take care!
Feel free to create a PR, though, if you feel the urge. 😉

This was referenced Mar 6, 2023
Closed
Merged
@Skn0tt
Copy link
Contributor Author

Skn0tt commented Mar 6, 2023

Absolutely! Opened #4 :)

@mpanne mpanne closed this as completed in #4 Mar 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mpanne @Skn0tt