[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1094751: marked as done (bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2)



Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <E1ttO4S-005KlD-IZ@coccia.debian.org>
and subject line Close 1094751
has caused the Debian Bug report #1094751,
regarding bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1094751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094751
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-axios@packages.debian.org
Control: affects -1 + src:node-axios
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.

[ Impact ]
Potential security issue

[ Tests ]
No regression, autopkgtest passed

[ Risks ]
Low risk, it replace a specific library by the node URL API

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace a specific library by the node URL API

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index ad1d642..5c966ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-axios (1.2.1+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload
+  * Fix potential vulnerability in URL when determining an origin
+    (Closes: #1094731, CVE-2024-57965)
+
+ -- Yadd <yadd@debian.org>  Thu, 30 Jan 2025 18:52:13 +0100
+
 node-axios (1.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2024-57965.patch b/debian/patches/CVE-2024-57965.patch
new file mode 100644
index 0000000..a1d9478
--- /dev/null
+++ b/debian/patches/CVE-2024-57965.patch
@@ -0,0 +1,91 @@
+Description: use URL API instead of DOM to fix a potential vulnerability warning
+Author: Dmitriy Mozgovoy <robotshara@gmail.com>
+Origin: upstream, https://github.com/axios/axios/commit/0a8d6e19
+Bug: https://github.com/axios/axios/issues/6714
+Bug-Debian: https://bugs.debian.org/1094731
+Forwarded: not-needed
+Applied-Upstream: 1.7.8, commit:0a8d6e19
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-01-30
+
+--- a/lib/helpers/isURLSameOrigin.js
++++ b/lib/helpers/isURLSameOrigin.js
+@@ -1,67 +1,16 @@
+ 'use strict';
+ 
+-import utils from './../utils.js';
+ import platform from '../platform/index.js';
+ 
+-export default platform.isStandardBrowserEnv ?
++export default platform.hasStandardBrowserEnv ? ((origin, isMSIE) => (url) => {
++  url = new URL(url, platform.origin);
+ 
+-// Standard browser envs have full support of the APIs needed to test
+-// whether the request URL is of the same origin as current location.
+-  (function standardBrowserEnv() {
+-    const msie = /(msie|trident)/i.test(navigator.userAgent);
+-    const urlParsingNode = document.createElement('a');
+-    let originURL;
+-
+-    /**
+-    * Parse a URL to discover it's components
+-    *
+-    * @param {String} url The URL to be parsed
+-    * @returns {Object}
+-    */
+-    function resolveURL(url) {
+-      let href = url;
+-
+-      if (msie) {
+-        // IE needs attribute set twice to normalize properties
+-        urlParsingNode.setAttribute('href', href);
+-        href = urlParsingNode.href;
+-      }
+-
+-      urlParsingNode.setAttribute('href', href);
+-
+-      // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
+-      return {
+-        href: urlParsingNode.href,
+-        protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
+-        host: urlParsingNode.host,
+-        search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
+-        hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
+-        hostname: urlParsingNode.hostname,
+-        port: urlParsingNode.port,
+-        pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
+-          urlParsingNode.pathname :
+-          '/' + urlParsingNode.pathname
+-      };
+-    }
+-
+-    originURL = resolveURL(window.location.href);
+-
+-    /**
+-    * Determine if a URL shares the same origin as the current location
+-    *
+-    * @param {String} requestURL The URL to test
+-    * @returns {boolean} True if URL shares the same origin, otherwise false
+-    */
+-    return function isURLSameOrigin(requestURL) {
+-      const parsed = (utils.isString(requestURL)) ? resolveURL(requestURL) : requestURL;
+-      return (parsed.protocol === originURL.protocol &&
+-          parsed.host === originURL.host);
+-    };
+-  })() :
+-
+-  // Non standard browser envs (web workers, react-native) lack needed support.
+-  (function nonStandardBrowserEnv() {
+-    return function isURLSameOrigin() {
+-      return true;
+-    };
+-  })();
++  return (
++    origin.protocol === url.protocol &&
++    origin.host === url.host &&
++    (isMSIE || origin.port === url.port)
++  );
++})(
++  new URL(platform.origin),
++  platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent)
++) : () => true;
diff --git a/debian/patches/series b/debian/patches/series
index e4a77c6..120eb8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ update-test-for-formidable-3.patch
 update-rollup-plugins.patch
 reproducible.patch
 CVE-2023-45857.patch
+CVE-2024-57965.patch

--- End Message ---
--- Begin Message ---
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---

Reply to: