--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2
- From: Yadd <yadd@debian.org>
- Date: Thu, 30 Jan 2025 18:55:08 +0100
- Message-id: <173825970856.640039.9895601580246369284.reportbug@debian117>
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-axios@packages.debian.org
Control: affects -1 + src:node-axios
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.
[ Impact ]
Potential security issue
[ Tests ]
No regression, autopkgtest passed
[ Risks ]
Low risk, it replace a specific library by the node URL API
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace a specific library by the node URL API
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index ad1d642..5c966ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-axios (1.2.1+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Team upload
+ * Fix potential vulnerability in URL when determining an origin
+ (Closes: #1094731, CVE-2024-57965)
+
+ -- Yadd <yadd@debian.org> Thu, 30 Jan 2025 18:52:13 +0100
+
node-axios (1.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2024-57965.patch b/debian/patches/CVE-2024-57965.patch
new file mode 100644
index 0000000..a1d9478
--- /dev/null
+++ b/debian/patches/CVE-2024-57965.patch
@@ -0,0 +1,91 @@
+Description: use URL API instead of DOM to fix a potential vulnerability warning
+Author: Dmitriy Mozgovoy <robotshara@gmail.com>
+Origin: upstream, https://github.com/axios/axios/commit/0a8d6e19
+Bug: https://github.com/axios/axios/issues/6714
+Bug-Debian: https://bugs.debian.org/1094731
+Forwarded: not-needed
+Applied-Upstream: 1.7.8, commit:0a8d6e19
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-01-30
+
+--- a/lib/helpers/isURLSameOrigin.js
++++ b/lib/helpers/isURLSameOrigin.js
+@@ -1,67 +1,16 @@
+ 'use strict';
+
+-import utils from './../utils.js';
+ import platform from '../platform/index.js';
+
+-export default platform.isStandardBrowserEnv ?
++export default platform.hasStandardBrowserEnv ? ((origin, isMSIE) => (url) => {
++ url = new URL(url, platform.origin);
+
+-// Standard browser envs have full support of the APIs needed to test
+-// whether the request URL is of the same origin as current location.
+- (function standardBrowserEnv() {
+- const msie = /(msie|trident)/i.test(navigator.userAgent);
+- const urlParsingNode = document.createElement('a');
+- let originURL;
+-
+- /**
+- * Parse a URL to discover it's components
+- *
+- * @param {String} url The URL to be parsed
+- * @returns {Object}
+- */
+- function resolveURL(url) {
+- let href = url;
+-
+- if (msie) {
+- // IE needs attribute set twice to normalize properties
+- urlParsingNode.setAttribute('href', href);
+- href = urlParsingNode.href;
+- }
+-
+- urlParsingNode.setAttribute('href', href);
+-
+- // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
+- return {
+- href: urlParsingNode.href,
+- protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
+- host: urlParsingNode.host,
+- search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
+- hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
+- hostname: urlParsingNode.hostname,
+- port: urlParsingNode.port,
+- pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
+- urlParsingNode.pathname :
+- '/' + urlParsingNode.pathname
+- };
+- }
+-
+- originURL = resolveURL(window.location.href);
+-
+- /**
+- * Determine if a URL shares the same origin as the current location
+- *
+- * @param {String} requestURL The URL to test
+- * @returns {boolean} True if URL shares the same origin, otherwise false
+- */
+- return function isURLSameOrigin(requestURL) {
+- const parsed = (utils.isString(requestURL)) ? resolveURL(requestURL) : requestURL;
+- return (parsed.protocol === originURL.protocol &&
+- parsed.host === originURL.host);
+- };
+- })() :
+-
+- // Non standard browser envs (web workers, react-native) lack needed support.
+- (function nonStandardBrowserEnv() {
+- return function isURLSameOrigin() {
+- return true;
+- };
+- })();
++ return (
++ origin.protocol === url.protocol &&
++ origin.host === url.host &&
++ (isMSIE || origin.port === url.port)
++ );
++})(
++ new URL(platform.origin),
++ platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent)
++) : () => true;
diff --git a/debian/patches/series b/debian/patches/series
index e4a77c6..120eb8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ update-test-for-formidable-3.patch
update-rollup-plugins.patch
reproducible.patch
CVE-2023-45857.patch
+CVE-2024-57965.patch
--- End Message ---