From d388fe26052a6042310d96964f15f00c56791161 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 20:15:30 +0200 Subject: [PATCH 01/16] build: harden ci.yml permissions Signed-off-by: Alex --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d96193a..a98ae20 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest From 9c728c314b06f9595dcd7f245d40731e8a27d79f Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Tue, 19 Sep 2023 20:09:00 +0200 Subject: [PATCH 02/16] Split linting and testing. --- .github/workflows/ci.yml | 18 ++++++++++++++---- package.json | 3 +-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a98ae20..ba238c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,16 @@ permissions: contents: read jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-node@v3 + with: + node-version: '18.0' + - uses: actions/checkout@v4 + - run: npm ci + - run: npm run lint + test: runs-on: ubuntu-latest strategy: @@ -43,17 +53,17 @@ jobs: - '18.x' steps: - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - run: npm install - if: ${{ matrix.node-version == '4.x' }} - run: npm install mocha@5.0.0 eslint@4.19.1 esquery@1.0.0 nyc@11.8.0 + run: npm install mocha@5.0.0 nyc@11.8.0 - run: npm test - run: node_modules/.bin/nyc --reporter=text-lcov node_modules/.bin/mocha | tee lcov.info - uses: coverallsapp/github-action@master - if: ${{ matrix.node-version == '16.0' }} + if: ${{ matrix.node-version == '18.0' }} with: github-token: ${{ secrets.github_token }} flag-name: run-${{ matrix.node-version }} diff --git a/package.json b/package.json index 97717c5..fe8c63e 100644 --- a/package.json +++ b/package.json @@ -11,9 +11,8 @@ "node": ">=4.0" }, "scripts": { - "test": "npm run lint && npm run mocha", "lint": "eslint *.js test", - "mocha": "nyc mocha" + "test": "nyc mocha" }, "repository": { "type": "git", From bd8c81e4f32d12f28a35d265f88b1716703687c6 Mon Sep 17 00:00:00 2001 From: DigitalBrainJS Date: Tue, 19 Sep 2023 16:43:41 +0300 Subject: [PATCH 03/16] Fix resource leak on destroy. --- index.js | 20 ++++++++++++++++---- test/test.js | 16 ++++++++-------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/index.js b/index.js index 3e199c1..057c6b1 100644 --- a/index.js +++ b/index.js @@ -38,6 +38,9 @@ var WriteAfterEndError = createErrorType( "write after end" ); +// istanbul ignore next +var destroy = Writable.prototype.destroy || noop; + // An HTTP(S) request that can be redirected function RedirectableRequest(options, responseCallback) { // Initialize the request @@ -68,10 +71,17 @@ function RedirectableRequest(options, responseCallback) { RedirectableRequest.prototype = Object.create(Writable.prototype); RedirectableRequest.prototype.abort = function () { - abortRequest(this._currentRequest); + destroyRequest(this._currentRequest); + this._currentRequest.abort(); this.emit("abort"); }; +RedirectableRequest.prototype.destroy = function (error) { + destroyRequest(this._currentRequest, error); + destroy.call(this, error); + return this; +}; + // Writes buffered data to the current native request RedirectableRequest.prototype.write = function (data, encoding, callback) { // Writing is not allowed if end has been called @@ -184,6 +194,7 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) { self.removeListener("abort", clearTimer); self.removeListener("error", clearTimer); self.removeListener("response", clearTimer); + self.removeListener("close", clearTimer); if (callback) { self.removeListener("timeout", callback); } @@ -210,6 +221,7 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) { this.on("abort", clearTimer); this.on("error", clearTimer); this.on("response", clearTimer); + this.on("close", clearTimer); return this; }; @@ -361,7 +373,7 @@ RedirectableRequest.prototype._processResponse = function (response) { } // The response is a redirect, so abort the current request - abortRequest(this._currentRequest); + destroyRequest(this._currentRequest); // Discard the remainder of the response to avoid waiting for data response.destroy(); @@ -590,12 +602,12 @@ function createErrorType(code, message, baseClass) { return CustomError; } -function abortRequest(request) { +function destroyRequest(request, error) { for (var event of events) { request.removeListener(event, eventHandlers[event]); } request.on("error", noop); - request.abort(); + request.destroy(error); } function isSubdomain(subdomain, domain) { diff --git a/test/test.js b/test/test.js index fd839ac..078926d 100644 --- a/test/test.js +++ b/test/test.js @@ -269,7 +269,7 @@ describe("follow-redirects", function () { req._currentRequest.emit("connect", "r", "s", "h"); })) .then(function (args) { - req.abort(); + req.destroy(); assert.equal(args.response, "r"); assert.equal(args.socket, "s"); assert.equal(args.head, "h"); @@ -429,7 +429,7 @@ describe("follow-redirects", function () { req.on("socket", function () { assert(req.socket instanceof net.Socket); req.setTimeout(3000, function () { - req.abort(); + req.destroy(); resolve(); }); }); @@ -466,7 +466,7 @@ describe("follow-redirects", function () { }); req.on("error", reject); req.setTimeout(1000, function () { - req.abort(); + req.destroy(); resolve(); }); })); @@ -485,7 +485,7 @@ describe("follow-redirects", function () { }); req.on("error", reject); req.setTimeout(2000, function () { - req.abort(); + req.destroy(); resolve(); }); })); @@ -505,7 +505,7 @@ describe("follow-redirects", function () { var callbacks = 0; function timeoutCallback() { if (++callbacks === 3) { - req.abort(); + req.destroy(); resolve(callbacks); } } @@ -633,7 +633,7 @@ describe("follow-redirects", function () { var req = http.request("http://localhost:3600/a"); req.setHeader("my-header", "my value"); assert.equal(req.getHeader("my-header"), "my value"); - req.abort(); + req.destroy(); }); it("should provide removeHeader", function () { @@ -976,7 +976,7 @@ describe("follow-redirects", function () { return; } finally { - req.abort(); + req.destroy(); } throw new Error("no error"); }); @@ -1218,7 +1218,7 @@ describe("follow-redirects", function () { catch (e) { error = e; } - req.abort(); + req.destroy(); assert(error instanceof Error); assert(error instanceof TypeError); assert.equal(error.message, "data should be a string, Buffer or Uint8Array"); From 192dbe7ce671ecad813c074bffe3b3f5d3680fee Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Tue, 19 Sep 2023 20:49:27 +0200 Subject: [PATCH 04/16] Release version 1.15.3 of the npm package. --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 2888db0..b5fce58 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "follow-redirects", - "version": "1.15.2", + "version": "1.15.3", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "follow-redirects", - "version": "1.15.2", + "version": "1.15.3", "funding": [ { "type": "individual", diff --git a/package.json b/package.json index fe8c63e..eb90372 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "follow-redirects", - "version": "1.15.2", + "version": "1.15.3", "description": "HTTP and HTTPS modules that follow redirects.", "license": "MIT", "main": "index.js", From bcbb096b32686ecad6cd34235358ed6f2217d4f0 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Mon, 25 Sep 2023 10:10:10 +0200 Subject: [PATCH 05/16] Do not directly set Error properties. Fixes https://github.com/follow-redirects/follow-redirects/issues/231 --- index.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 057c6b1..0818005 100644 --- a/index.js +++ b/index.js @@ -597,8 +597,16 @@ function createErrorType(code, message, baseClass) { // Attach constructor and set default properties CustomError.prototype = new (baseClass || Error)(); - CustomError.prototype.constructor = CustomError; - CustomError.prototype.name = "Error [" + code + "]"; + Object.defineProperties(CustomError.prototype, { + constructor: { + value: CustomError, + enumerable: false, + }, + name: { + value: "Error [" + code + "]", + enumerable: false, + }, + }); return CustomError; } From 3d42aecdca39b144a0a2f27ea134b4cf67dd796a Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Fri, 29 Dec 2023 11:13:00 +0100 Subject: [PATCH 06/16] Add bracket tests. --- test/test.js | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/test/test.js b/test/test.js index 078926d..aa62537 100644 --- a/test/test.js +++ b/test/test.js @@ -177,6 +177,70 @@ describe("follow-redirects", function () { }); }); + it("http.get to IPv4 address", function () { + app.get("/a", redirectsTo("/b")); + app.get("/b", redirectsTo("/c")); + app.get("/c", redirectsTo("/d")); + app.get("/d", redirectsTo("/e")); + app.get("/e", redirectsTo("/f")); + app.get("/f", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://127.0.0.1:3600/a", concatJson(resolve, reject)).on("error", reject); + })) + .then(function (res) { + assert.deepEqual(res.parsedJson, { a: "b" }); + assert.deepEqual(res.responseUrl, "http://127.0.0.1:3600/f"); + }); + }); + + it("http.get to IPv6 address", function () { + app.get("/a", redirectsTo("/b")); + app.get("/b", redirectsTo("/c")); + app.get("/c", redirectsTo("/d")); + app.get("/d", redirectsTo("/e")); + app.get("/e", redirectsTo("/f")); + app.get("/f", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://[::1]:3600/a", concatJson(resolve, reject)).on("error", reject); + })) + .then(function (res) { + assert.deepEqual(res.parsedJson, { a: "b" }); + assert.deepEqual(res.responseUrl, "http://[::1]:3600/f"); + }); + }); + + it("http.get redirecting to IPv4 address", function () { + app.get("/a", redirectsTo("http://127.0.0.1:3600/b")); + app.get("/b", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://localhost:3600/a", concatJson(resolve, reject)).on("error", reject); + })) + .then(function (res) { + assert.deepEqual(res.parsedJson, { a: "b" }); + assert.deepEqual(res.responseUrl, "http://127.0.0.1:3600/b"); + }); + }); + + it("http.get redirecting to IPv6 address", function () { + app.get("/a", redirectsTo("http://[::1]:3600/b")); + app.get("/b", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://localhost:3600/a", concatJson(resolve, reject)).on("error", reject); + })) + .then(function (res) { + assert.deepEqual(res.parsedJson, { a: "b" }); + assert.deepEqual(res.responseUrl, "http://[::1]:3600/b"); + }); + }); + it("http.get with response event", function () { app.get("/a", redirectsTo("/b")); app.get("/b", redirectsTo("/c")); From 72bc2a4229bc18dc9fbd57c60579713e6264cb92 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Sat, 30 Dec 2023 10:32:46 +0100 Subject: [PATCH 07/16] Simplify _processResponse error handling. --- index.js | 41 ++++++++++++++--------------------------- test/test.js | 12 +++++++++--- 2 files changed, 23 insertions(+), 30 deletions(-) diff --git a/index.js b/index.js index 0818005..30fc38c 100644 --- a/index.js +++ b/index.js @@ -27,7 +27,8 @@ var RedirectionError = createErrorType( ); var TooManyRedirectsError = createErrorType( "ERR_FR_TOO_MANY_REDIRECTS", - "Maximum number of redirects exceeded" + "Maximum number of redirects exceeded", + RedirectionError ); var MaxBodyLengthExceededError = createErrorType( "ERR_FR_MAX_BODY_LENGTH_EXCEEDED", @@ -62,7 +63,13 @@ function RedirectableRequest(options, responseCallback) { // React to responses of native requests var self = this; this._onNativeResponse = function (response) { - self._processResponse(response); + try { + self._processResponse(response); + } + catch (cause) { + self.emit("error", cause instanceof RedirectionError ? + cause : new RedirectionError({ cause: cause })); + } }; // Perform the first request @@ -280,8 +287,7 @@ RedirectableRequest.prototype._performRequest = function () { var protocol = this._options.protocol; var nativeProtocol = this._options.nativeProtocols[protocol]; if (!nativeProtocol) { - this.emit("error", new TypeError("Unsupported protocol " + protocol)); - return; + throw new TypeError("Unsupported protocol " + protocol); } // If specified, use the agent corresponding to the protocol @@ -380,8 +386,7 @@ RedirectableRequest.prototype._processResponse = function (response) { // RFC7231ยง6.4: A client SHOULD detect and intervene // in cyclical redirections (i.e., "infinite" redirection loops). if (++this._redirectCount > this._options.maxRedirects) { - this.emit("error", new TooManyRedirectsError()); - return; + throw new TooManyRedirectsError(); } // Store the request headers if applicable @@ -421,14 +426,7 @@ RedirectableRequest.prototype._processResponse = function (response) { url.format(Object.assign(currentUrlParts, { host: currentHost })); // Determine the URL of the redirection - var redirectUrl; - try { - redirectUrl = url.resolve(currentUrl, location); - } - catch (cause) { - this.emit("error", new RedirectionError({ cause: cause })); - return; - } + var redirectUrl = url.resolve(currentUrl, location); // Create the redirected request debug("redirecting to", redirectUrl); @@ -456,23 +454,12 @@ RedirectableRequest.prototype._processResponse = function (response) { method: method, headers: requestHeaders, }; - try { - beforeRedirect(this._options, responseDetails, requestDetails); - } - catch (err) { - this.emit("error", err); - return; - } + beforeRedirect(this._options, responseDetails, requestDetails); this._sanitizeOptions(this._options); } // Perform the redirected request - try { - this._performRequest(); - } - catch (cause) { - this.emit("error", new RedirectionError({ cause: cause })); - } + this._performRequest(); }; // Wraps the key/value object of protocols with redirect functionality diff --git a/test/test.js b/test/test.js index aa62537..6aed484 100644 --- a/test/test.js +++ b/test/test.js @@ -984,8 +984,12 @@ describe("follow-redirects", function () { })) .catch(function (error) { assert(error instanceof Error); - assert(error instanceof TypeError); - assert.equal(error.message, "Unsupported protocol about:"); + assert.equal(error.message, "Redirected request failed: Unsupported protocol about:"); + + var cause = error.cause; + assert(cause instanceof Error); + assert(cause instanceof TypeError); + assert.equal(cause.message, "Unsupported protocol about:"); }); }); }); @@ -2153,7 +2157,9 @@ describe("follow-redirects", function () { .catch(function (error) { assert(!redirected); assert(error instanceof Error); - assert.equal(error.message, "no redirects!"); + assert.equal(error.message, "Redirected request failed: no redirects!"); + assert(error.cause instanceof Error); + assert.equal(error.cause.message, "no redirects!"); }); }); From 1cba8e85fa73f563a439fe460cf028688e4358df Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Sat, 30 Dec 2023 10:43:23 +0100 Subject: [PATCH 08/16] Prefer native URL instead of legacy url.resolve. --- index.js | 17 +++++++++++++---- test/test.js | 19 +------------------ 2 files changed, 14 insertions(+), 22 deletions(-) diff --git a/index.js b/index.js index 30fc38c..67416dc 100644 --- a/index.js +++ b/index.js @@ -6,6 +6,9 @@ var Writable = require("stream").Writable; var assert = require("assert"); var debug = require("./debug"); +// Whether to use the native URL object or the legacy url module +var hasNativeURL = typeof URL !== "undefined"; + // Create handlers that pass events from native requests var events = ["abort", "aborted", "connect", "error", "socket", "timeout"]; var eventHandlers = Object.create(null); @@ -15,12 +18,12 @@ events.forEach(function (event) { }; }); +// Error types with codes var InvalidUrlError = createErrorType( "ERR_INVALID_URL", "Invalid URL", TypeError ); -// Error types with codes var RedirectionError = createErrorType( "ERR_FR_REDIRECTION_FAILURE", "Redirected request failed" @@ -426,7 +429,7 @@ RedirectableRequest.prototype._processResponse = function (response) { url.format(Object.assign(currentUrlParts, { host: currentHost })); // Determine the URL of the redirection - var redirectUrl = url.resolve(currentUrl, location); + var redirectUrl = resolveUrl(location, currentUrl); // Create the redirected request debug("redirecting to", redirectUrl); @@ -494,7 +497,7 @@ function wrap(protocols) { } input = parsed; } - else if (URL && (input instanceof URL)) { + else if (hasNativeURL && (input instanceof URL)) { input = urlToOptions(input); } else { @@ -538,9 +541,15 @@ function wrap(protocols) { return exports; } -/* istanbul ignore next */ function noop() { /* empty */ } +function resolveUrl(relative, base) { + return !hasNativeURL ? + /* istanbul ignore next */ + url.resolve(base, relative) : + (new URL(relative, base)).href; +} + // from https://github.com/nodejs/node/blob/master/lib/internal/url.js function urlToOptions(urlObject) { var options = { diff --git a/test/test.js b/test/test.js index 6aed484..e35c0ad 100644 --- a/test/test.js +++ b/test/test.js @@ -364,7 +364,7 @@ describe("follow-redirects", function () { switch (error.cause.code) { // Node 17+ case "ERR_INVALID_URL": - assert.equal(error.message, "Redirected request failed: Invalid URL"); + assert.match(error.message, /^Redirected request failed: Invalid URL/); break; // Older Node versions case "ERR_UNESCAPED_CHARACTERS": @@ -376,23 +376,6 @@ describe("follow-redirects", function () { }); }); - it("emits an error when url.resolve fails", function () { - app.get("/a", redirectsTo("/b")); - var urlResolve = url.resolve; - url.resolve = function () { - throw new Error(); - }; - - return server.start(app) - .then(asPromise(function (resolve) { - http.get("http://localhost:3600/a").on("error", resolve); - })) - .then(function (error) { - url.resolve = urlResolve; - assert.equal(error.code, "ERR_FR_REDIRECTION_FAILURE"); - }); - }); - it("emits an error when the request fails for another reason", function () { app.get("/a", function (req, res) { res.socket.write("HTTP/1.1 301 Moved Permanently\r\n"); From 05629af696588b90d64e738bc2e809a97a5f92fc Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Sat, 30 Dec 2023 15:37:35 +0100 Subject: [PATCH 09/16] Prefer native URL instead of deprecated url.parse. --- index.js | 82 ++++++++++++++++++++++++++++++---------------------- test/test.js | 2 +- 2 files changed, 49 insertions(+), 35 deletions(-) diff --git a/index.js b/index.js index 67416dc..a1d18a9 100644 --- a/index.js +++ b/index.js @@ -9,6 +9,20 @@ var debug = require("./debug"); // Whether to use the native URL object or the legacy url module var hasNativeURL = typeof URL !== "undefined"; +// URL fields to preserve in copy operations +var preservedUrlFields = [ + "auth", + "host", + "hostname", + "href", + "path", + "pathname", + "port", + "protocol", + "query", + "search", +]; + // Create handlers that pass events from native requests var events = ["abort", "aborted", "connect", "error", "socket", "timeout"]; var eventHandlers = Object.create(null); @@ -423,26 +437,23 @@ RedirectableRequest.prototype._processResponse = function (response) { var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers); // If the redirect is relative, carry over the host of the last request - var currentUrlParts = url.parse(this._currentUrl); + var currentUrlParts = parseUrl(this._currentUrl); var currentHost = currentHostHeader || currentUrlParts.host; var currentUrl = /^\w+:/.test(location) ? this._currentUrl : url.format(Object.assign(currentUrlParts, { host: currentHost })); - // Determine the URL of the redirection - var redirectUrl = resolveUrl(location, currentUrl); - // Create the redirected request - debug("redirecting to", redirectUrl); + var redirectUrl = resolveUrl(location, currentUrl); + debug("redirecting to", redirectUrl.href); this._isRedirect = true; - var redirectUrlParts = url.parse(redirectUrl); - Object.assign(this._options, redirectUrlParts); + spreadUrlObject(redirectUrl, this._options); // Drop confidential headers when redirecting to a less secure protocol // or to a different domain that is not a superdomain - if (redirectUrlParts.protocol !== currentUrlParts.protocol && - redirectUrlParts.protocol !== "https:" || - redirectUrlParts.host !== currentHost && - !isSubdomain(redirectUrlParts.host, currentHost)) { + if (redirectUrl.protocol !== currentUrlParts.protocol && + redirectUrl.protocol !== "https:" || + redirectUrl.host !== currentHost && + !isSubdomain(redirectUrl.host, currentHost)) { removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); } @@ -486,7 +497,7 @@ function wrap(protocols) { if (isString(input)) { var parsed; try { - parsed = urlToOptions(new URL(input)); + parsed = spreadUrlObject(new URL(input)); } catch (err) { /* istanbul ignore next */ @@ -498,7 +509,7 @@ function wrap(protocols) { input = parsed; } else if (hasNativeURL && (input instanceof URL)) { - input = urlToOptions(input); + input = spreadUrlObject(input); } else { callback = options; @@ -543,31 +554,34 @@ function wrap(protocols) { function noop() { /* empty */ } +function parseUrl(string) { + /* istanbul ignore next */ + return hasNativeURL ? new URL(string) : url.parse(string); +} + function resolveUrl(relative, base) { - return !hasNativeURL ? - /* istanbul ignore next */ - url.resolve(base, relative) : - (new URL(relative, base)).href; + /* istanbul ignore next */ + return hasNativeURL ? new URL(relative, base) : parseUrl(url.resolve(base, relative)); } -// from https://github.com/nodejs/node/blob/master/lib/internal/url.js -function urlToOptions(urlObject) { - var options = { - protocol: urlObject.protocol, - hostname: urlObject.hostname.startsWith("[") ? - /* istanbul ignore next */ - urlObject.hostname.slice(1, -1) : - urlObject.hostname, - hash: urlObject.hash, - search: urlObject.search, - pathname: urlObject.pathname, - path: urlObject.pathname + urlObject.search, - href: urlObject.href, - }; - if (urlObject.port !== "") { - options.port = Number(urlObject.port); +function spreadUrlObject(urlObject, target) { + var spread = target || {}; + for (var key of preservedUrlFields) { + spread[key] = urlObject[key]; + } + + // Fix IPv6 hostname + if (spread.hostname.startsWith("[")) { + spread.hostname = spread.hostname.slice(1, -1); } - return options; + // Ensure port is a number + if (spread.port !== "") { + spread.port = Number(spread.port); + } + // Concatenate path + spread.path = spread.search ? spread.pathname + spread.search : spread.pathname; + + return spread; } function removeMatchingHeaders(regex, headers) { diff --git a/test/test.js b/test/test.js index e35c0ad..406b602 100644 --- a/test/test.js +++ b/test/test.js @@ -364,7 +364,7 @@ describe("follow-redirects", function () { switch (error.cause.code) { // Node 17+ case "ERR_INVALID_URL": - assert.match(error.message, /^Redirected request failed: Invalid URL/); + assert(/^Redirected request failed: Invalid URL/.test(error.message)); break; // Older Node versions case "ERR_UNESCAPED_CHARACTERS": From 7a6567e16dfa9ad18a70bfe91784c28653fbf19d Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Sat, 30 Dec 2023 16:15:57 +0100 Subject: [PATCH 10/16] Disallow bracketed hostnames. Fixes https://github.com/follow-redirects/follow-redirects/issues/235 --- index.js | 64 +++++++++++++++++---------- test/test.js | 120 ++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 151 insertions(+), 33 deletions(-) diff --git a/index.js b/index.js index a1d18a9..3232a72 100644 --- a/index.js +++ b/index.js @@ -7,7 +7,13 @@ var assert = require("assert"); var debug = require("./debug"); // Whether to use the native URL object or the legacy url module -var hasNativeURL = typeof URL !== "undefined"; +var useNativeURL = false; +try { + assert(new URL()); +} +catch (error) { + useNativeURL = error.code === "ERR_INVALID_URL"; +} // URL fields to preserve in copy operations var preservedUrlFields = [ @@ -493,27 +499,16 @@ function wrap(protocols) { // Executes a request, following redirects function request(input, options, callback) { - // Parse parameters - if (isString(input)) { - var parsed; - try { - parsed = spreadUrlObject(new URL(input)); - } - catch (err) { - /* istanbul ignore next */ - parsed = url.parse(input); - } - if (!isString(parsed.protocol)) { - throw new InvalidUrlError({ input }); - } - input = parsed; - } - else if (hasNativeURL && (input instanceof URL)) { + // Parse parameters, ensuring that input is an object + if (isURL(input)) { input = spreadUrlObject(input); } + else if (isString(input)) { + input = spreadUrlObject(parseUrl(input)); + } else { callback = options; - options = input; + options = validateUrl(input); input = { protocol: protocol }; } if (isFunction(options)) { @@ -554,14 +549,35 @@ function wrap(protocols) { function noop() { /* empty */ } -function parseUrl(string) { - /* istanbul ignore next */ - return hasNativeURL ? new URL(string) : url.parse(string); +function parseUrl(input) { + var parsed; + /* istanbul ignore else */ + if (useNativeURL) { + parsed = new URL(input); + } + else { + // Ensure the URL is valid and absolute + parsed = validateUrl(url.parse(input)); + if (!isString(parsed.protocol)) { + throw new InvalidUrlError({ input }); + } + } + return parsed; } function resolveUrl(relative, base) { /* istanbul ignore next */ - return hasNativeURL ? new URL(relative, base) : parseUrl(url.resolve(base, relative)); + return useNativeURL ? new URL(relative, base) : parseUrl(url.resolve(base, relative)); +} + +function validateUrl(input) { + if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) { + throw new InvalidUrlError({ input: input.href || input }); + } + if (/^\[/.test(input.host) && !/^\[[:0-9a-f]+\](:\d+)?$/i.test(input.host)) { + throw new InvalidUrlError({ input: input.href || input }); + } + return input; } function spreadUrlObject(urlObject, target) { @@ -646,6 +662,10 @@ function isBuffer(value) { return typeof value === "object" && ("length" in value); } +function isURL(value) { + return URL && value instanceof URL; +} + // Exports module.exports = wrap({ http: http, https: https }); module.exports.wrap = wrap; diff --git a/test/test.js b/test/test.js index 406b602..5e53695 100644 --- a/test/test.js +++ b/test/test.js @@ -213,6 +213,67 @@ describe("follow-redirects", function () { }); }); + it("http.get to bracketed IPv4 address", function () { + var error = null; + try { + http.get("http://[127.0.0.1]:3600/a"); + } + catch (err) { + error = err; + } + assert(error instanceof Error); + assert(error instanceof TypeError); + assert.equal(error.code, "ERR_INVALID_URL"); + assert.equal(error.input, "http://[127.0.0.1]:3600/a"); + }); + + it("http.get to bracketed IPv4 address specified as host", function () { + var error = null; + try { + http.get({ + host: "[127.0.0.1]:3600", + path: "/a", + }); + } + catch (err) { + error = err; + } + assert(error instanceof Error); + assert(error instanceof TypeError); + assert.equal(error.code, "ERR_INVALID_URL"); + }); + + it("http.get to bracketed IPv4 address specified as hostname", function () { + var error = null; + try { + http.get({ + hostname: "[127.0.0.1]", + port: 3600, + path: "/a", + }); + } + catch (err) { + error = err; + } + assert(error instanceof Error); + assert(error instanceof TypeError); + assert.equal(error.code, "ERR_INVALID_URL"); + }); + + it("http.get to bracketed hostname", function () { + var error = null; + try { + http.get("http://[localhost]:3600/a"); + } + catch (err) { + error = err; + } + assert(error instanceof Error); + assert(error instanceof TypeError); + assert.equal(error.code, "ERR_INVALID_URL"); + assert.equal(error.input, "http://[localhost]:3600/a"); + }); + it("http.get redirecting to IPv4 address", function () { app.get("/a", redirectsTo("http://127.0.0.1:3600/b")); app.get("/b", sendsJson({ a: "b" })); @@ -241,6 +302,46 @@ describe("follow-redirects", function () { }); }); + it("http.get redirecting to bracketed IPv4 address", function () { + app.get("/a", redirectsTo("http://[127.0.0.1]:3600/b")); + app.get("/b", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://localhost:3600/a", concatJson(reject)).on("error", resolve); + })) + .then(function (error) { + assert(error instanceof Error); + assert.equal(error.code, "ERR_FR_REDIRECTION_FAILURE"); + + var cause = error.cause; + assert(cause instanceof Error); + assert(cause instanceof TypeError); + assert.equal(cause.code, "ERR_INVALID_URL"); + assert.equal(cause.input, "http://[127.0.0.1]:3600/b"); + }); + }); + + it("http.get redirecting to bracketed hostname", function () { + app.get("/a", redirectsTo("http://[localhost]:3600/b")); + app.get("/b", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://localhost:3600/a", concatJson(reject)).on("error", resolve); + })) + .then(function (error) { + assert(error instanceof Error); + assert.equal(error.code, "ERR_FR_REDIRECTION_FAILURE"); + + var cause = error.cause; + assert(cause instanceof Error); + assert(cause instanceof TypeError); + assert.equal(cause.code, "ERR_INVALID_URL"); + assert.equal(cause.input, "http://[localhost]:3600/b"); + }); + }); + it("http.get with response event", function () { app.get("/a", redirectsTo("/b")); app.get("/b", redirectsTo("/c")); @@ -266,8 +367,8 @@ describe("follow-redirects", function () { try { http.get("/relative"); } - catch (e) { - error = e; + catch (err) { + error = err; } assert(error instanceof Error); assert(error instanceof TypeError); @@ -963,9 +1064,9 @@ describe("follow-redirects", function () { .then(asPromise(function (resolve, reject) { http.get("http://localhost:3600/a") .on("response", function () { return reject(new Error("unexpected response")); }) - .on("error", reject); + .on("error", resolve); })) - .catch(function (error) { + .then(function (error) { assert(error instanceof Error); assert.equal(error.message, "Redirected request failed: Unsupported protocol about:"); @@ -1266,8 +1367,8 @@ describe("follow-redirects", function () { try { req.write(12345678); } - catch (e) { - error = e; + catch (err) { + error = err; } req.destroy(); assert(error instanceof Error); @@ -2132,12 +2233,9 @@ describe("follow-redirects", function () { throw new Error("no redirects!"); }, }; - http.get(options, concatJson(resolve, reject)).on("error", reject); + http.get(options, concatJson(reject)).on("error", resolve); })) - .then(function () { - assert.fail("request chain should have been aborted"); - }) - .catch(function (error) { + .then(function (error) { assert(!redirected); assert(error instanceof Error); assert.equal(error.message, "Redirected request failed: no redirects!"); From 65858205e59f1e23c9bf173348a7a7cbb8ac47f5 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Sat, 30 Dec 2023 18:26:51 +0100 Subject: [PATCH 11/16] Release version 1.15.4 of the npm package. --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index b5fce58..9f47d97 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "follow-redirects", - "version": "1.15.3", + "version": "1.15.4", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "follow-redirects", - "version": "1.15.3", + "version": "1.15.4", "funding": [ { "type": "individual", diff --git a/package.json b/package.json index eb90372..f32466d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "follow-redirects", - "version": "1.15.3", + "version": "1.15.4", "description": "HTTP and HTTPS modules that follow redirects.", "license": "MIT", "main": "index.js", From d8914f7982403ea096b39bd594a00ee9d3b7e224 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Fri, 12 Jan 2024 09:39:43 +0100 Subject: [PATCH 12/16] Preserve fragment in responseUrl. --- index.js | 1 + test/test.js | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/index.js b/index.js index 3232a72..f58b933 100644 --- a/index.js +++ b/index.js @@ -27,6 +27,7 @@ var preservedUrlFields = [ "protocol", "query", "search", + "hash", ]; // Create handlers that pass events from native requests diff --git a/test/test.js b/test/test.js index 5e53695..97e9653 100644 --- a/test/test.js +++ b/test/test.js @@ -376,6 +376,24 @@ describe("follow-redirects", function () { assert.equal(error.input, "/relative"); }); + it("redirect to URL with fragment", function () { + app.get("/a", redirectsTo("/b#abc")); + app.get("/b", redirectsTo("/c#def")); + app.get("/c", redirectsTo("/d#ghi")); + app.get("/d", redirectsTo("/e#jkl")); + app.get("/e", redirectsTo("/f#mno")); + app.get("/f", sendsJson({ a: "b" })); + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get("http://localhost:3600/a", concatJson(resolve, reject)).on("error", reject); + })) + .then(function (res) { + assert.deepEqual(res.parsedJson, { a: "b" }); + assert.deepEqual(res.responseUrl, "http://localhost:3600/f#mno"); + }); + }); + it("should return with the original status code if the response does not contain a location header", function () { app.get("/a", function (req, res) { res.status(307).end(); From b1677ce00110ee50dc5da576751d39b281fc4944 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Fri, 12 Jan 2024 09:40:53 +0100 Subject: [PATCH 13/16] Release version 1.15.5 of the npm package. --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9f47d97..403d567 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "follow-redirects", - "version": "1.15.4", + "version": "1.15.5", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "follow-redirects", - "version": "1.15.4", + "version": "1.15.5", "funding": [ { "type": "individual", diff --git a/package.json b/package.json index f32466d..9b87663 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "follow-redirects", - "version": "1.15.4", + "version": "1.15.5", "description": "HTTP and HTTPS modules that follow redirects.", "license": "MIT", "main": "index.js", From 8526b4a1b2ab3a2e4044299377df623a661caa76 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Thu, 14 Mar 2024 17:28:50 +0100 Subject: [PATCH 14/16] Use GitHub for disclosure. --- SECURITY.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e366e80..a000fdb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,3 @@ # Reporting a Vulnerability -If you discover a security vulnerability in follow-redirects please disclose it via [our huntr page](https://huntr.dev/repos/follow-redirects/follow-redirects). Bounties, CVE assignment, response times and past reports are all there. - - -Thank you for improving the security of follow-redirects. +If you discover a security vulnerability in follow-redirects please disclose it via https://github.com/follow-redirects/follow-redirects/security/advisories From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Thu, 14 Mar 2024 17:36:10 +0100 Subject: [PATCH 15/16] Drop Proxy-Authorization across hosts. --- index.js | 2 +- test/test.js | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index f58b933..c649cab 100644 --- a/index.js +++ b/index.js @@ -461,7 +461,7 @@ RedirectableRequest.prototype._processResponse = function (response) { redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) { - removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); + removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers); } // Evaluate the beforeRedirect callback diff --git a/test/test.js b/test/test.js index 97e9653..8413192 100644 --- a/test/test.js +++ b/test/test.js @@ -1529,6 +1529,7 @@ describe("follow-redirects", function () { [ "Authorization", + "Proxy-Authorization", "Cookie", ].forEach(function (header) { describe("when the client passes an header named " + header, function () { From 35a517c5861d79dc8bff7db8626013d20b711b06 Mon Sep 17 00:00:00 2001 From: Ruben Verborgh Date: Thu, 14 Mar 2024 17:37:48 +0100 Subject: [PATCH 16/16] Release version 1.15.6 of the npm package. --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 403d567..745c0b0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "follow-redirects", - "version": "1.15.5", + "version": "1.15.6", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "follow-redirects", - "version": "1.15.5", + "version": "1.15.6", "funding": [ { "type": "individual", diff --git a/package.json b/package.json index 9b87663..149943b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "follow-redirects", - "version": "1.15.5", + "version": "1.15.6", "description": "HTTP and HTTPS modules that follow redirects.", "license": "MIT", "main": "index.js",