node-fetch - npm Package Compare versions

Comparing version 2.6.1 to 2.6.7

lib/index.es.js

@@ -6,2 +6,3 @@ process.emitWarning("The .es.js file is deprecated. Use .mjs instead.");
 import Url from 'url';
+import whatwgUrl from 'whatwg-url';
 import https from 'https';
@@ -1141,2 +1142,3 @@ import zlib from 'zlib';
 const INTERNALS$2 = Symbol('Request internals');
+const URL = Url.URL || whatwgUrl.URL;
 
@@ -1147,2 +1149,22 @@ // fix an issue where "format", "parse" aren't a named export for node <10
 
+/**
+ * Wrapper around `new URL` to handle arbitrary URLs
+ *
+ * @param  {string} urlStr
+ * @return {void}
+ */
+function parseURL(urlStr) {
+	/*
+ 	Check whether the URL is absolute or not
+ 		Scheme: https://tools.ietf.org/html/rfc3986#section-3.1
+ 	Absolute URL: https://tools.ietf.org/html/rfc3986#section-4.3
+ */
+	if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.exec(urlStr)) {
+		urlStr = new URL(urlStr).toString();
+	}
+
+	// Fallback to old implementation for arbitrary URLs
+	return parse_url(urlStr);
+}
+
 const streamDestructionSupported = 'destroy' in Stream.Readable.prototype;
@@ -1184,10 +1206,10 @@
 				// `href` property anyway)
-				parsedURL = parse_url(input.href);
+				parsedURL = parseURL(input.href);
 			} else {
 				// coerce input to a string before attempting to parse
-				parsedURL = parse_url(`${input}`);
+				parsedURL = parseURL(`${input}`);
 			}
 			input = {};
 		} else {
-			parsedURL = parse_url(input.url);
+			parsedURL = parseURL(input.url);
 		}
@@ -1386,6 +1408,14 @@
 
+const URL$1 = Url.URL || whatwgUrl.URL;
+
 // fix an issue where "PassThrough", "resolve" aren't a named export for node <10
 const PassThrough$1 = Stream.PassThrough;
-const resolve_url = Url.resolve;
 
+const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
+	const orig = new URL$1(original).hostname;
+	const dest = new URL$1(destination).hostname;
+
+	return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
+};
+
 /**
@@ -1477,3 +1507,15 @@ * Fetch function
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : resolve_url(request.url, location);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL$1(location, request.url).toString();
+				} catch (err) {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
@@ -1526,2 +1568,8 @@ // HTTP fetch step 5.5
 
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOpts.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
@@ -1528,0 +1576,0 @@ if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {

lib/index.js

@@ -10,2 +10,3 @@ 'use strict';
 var Url = _interopDefault(require('url'));
+var whatwgUrl = _interopDefault(require('whatwg-url'));
 var https = _interopDefault(require('https'));
@@ -1145,2 +1146,3 @@ var zlib = _interopDefault(require('zlib'));
 const INTERNALS$2 = Symbol('Request internals');
+const URL = Url.URL || whatwgUrl.URL;
 
@@ -1151,2 +1153,22 @@ // fix an issue where "format", "parse" aren't a named export for node <10
 
+/**
+ * Wrapper around `new URL` to handle arbitrary URLs
+ *
+ * @param  {string} urlStr
+ * @return {void}
+ */
+function parseURL(urlStr) {
+	/*
+ 	Check whether the URL is absolute or not
+ 		Scheme: https://tools.ietf.org/html/rfc3986#section-3.1
+ 	Absolute URL: https://tools.ietf.org/html/rfc3986#section-4.3
+ */
+	if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.exec(urlStr)) {
+		urlStr = new URL(urlStr).toString();
+	}
+
+	// Fallback to old implementation for arbitrary URLs
+	return parse_url(urlStr);
+}
+
 const streamDestructionSupported = 'destroy' in Stream.Readable.prototype;
@@ -1188,10 +1210,10 @@
 				// `href` property anyway)
-				parsedURL = parse_url(input.href);
+				parsedURL = parseURL(input.href);
 			} else {
 				// coerce input to a string before attempting to parse
-				parsedURL = parse_url(`${input}`);
+				parsedURL = parseURL(`${input}`);
 			}
 			input = {};
 		} else {
-			parsedURL = parse_url(input.url);
+			parsedURL = parseURL(input.url);
 		}
@@ -1390,6 +1412,14 @@
 
+const URL$1 = Url.URL || whatwgUrl.URL;
+
 // fix an issue where "PassThrough", "resolve" aren't a named export for node <10
 const PassThrough$1 = Stream.PassThrough;
-const resolve_url = Url.resolve;
 
+const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
+	const orig = new URL$1(original).hostname;
+	const dest = new URL$1(destination).hostname;
+
+	return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
+};
+
 /**
@@ -1481,3 +1511,15 @@ * Fetch function
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : resolve_url(request.url, location);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL$1(location, request.url).toString();
+				} catch (err) {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
@@ -1530,2 +1572,8 @@ // HTTP fetch step 5.5
 
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOpts.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
@@ -1532,0 +1580,0 @@ if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {

package.json

 {
     "name": "node-fetch",
-    "version": "2.6.1",
+    "version": "2.6.7",
     "description": "A light-weight module that brings window.fetch to node.js",
-    "main": "lib/index",
+    "main": "lib/index.js",
     "browser": "./browser.js",
@@ -39,2 +39,13 @@ "module": "lib/index.mjs",
     "homepage": "https://github.com/bitinn/node-fetch",
+    "dependencies": {
+        "whatwg-url": "^5.0.0"
+    },
+    "peerDependencies": { 
+        "encoding": "^0.1.0"
+    },
+    "peerDependenciesMeta": {
+        "encoding": {
+            "optional": true
+        }
+    },
     "devDependencies": {
@@ -52,3 +63,3 @@ "@ungap/url-search-params": "^0.1.2",
         "chai-string": "~1.3.0",
-        "codecov": "^3.3.0",
+        "codecov": "3.3.0",
         "cross-env": "^5.2.0",
@@ -65,5 +76,4 @@ "form-data": "^2.3.3",
         "string-to-arraybuffer": "^1.0.2",
-        "whatwg-url": "^5.0.0"
-    },
-    "dependencies": {}
+        "teeny-request": "3.7.0"
+    }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Lines of code

4396

increased by2.95%

Worsened metrics

Total package byte prevSize

152240

decreased by-3.5%

Dependency count

2

increased byInfinity%

Number of package files

7

decreased by-12.5%

Dependency changes

• + Addedwhatwg-url@^5.0.0

• + Addedencoding@0.1.13(transitive)

• + Addediconv-lite@0.6.3(transitive)

• + Addedsafer-buffer@2.1.2(transitive)

• + Addedtr46@0.0.3(transitive)

• + Addedwebidl-conversions@3.0.1(transitive)

• + Addedwhatwg-url@5.0.0(transitive)