[Pkg-javascript-devel] Bug#1094751: bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2

Thu Jan 30 17:55:08 GMT 2025

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-axios at packages.debian.org
Control: affects -1 + src:node-axios
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.

[ Impact ]
Potential security issue

[ Tests ]
No regression, autopkgtest passed

[ Risks ]
Low risk, it replace a specific library by the node URL API

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace a specific library by the node URL API

Cheers,
Xavier
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index ad1d642..5c966ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-axios (1.2.1+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload
+  * Fix potential vulnerability in URL when determining an origin
+    (Closes: #1094731, CVE-2024-57965)
+
+ -- Yadd <yadd at debian.org>  Thu, 30 Jan 2025 18:52:13 +0100
+
 node-axios (1.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2024-57965.patch b/debian/patches/CVE-2024-57965.patch
new file mode 100644
index 0000000..a1d9478
--- /dev/null
+++ b/debian/patches/CVE-2024-57965.patch
@@ -0,0 +1,91 @@
+Description: use URL API instead of DOM to fix a potential vulnerability warning
+Author: Dmitriy Mozgovoy <robotshara at gmail.com>
+Origin: upstream, https://github.com/axios/axios/commit/0a8d6e19
+Bug: https://github.com/axios/axios/issues/6714
+Bug-Debian: https://bugs.debian.org/1094731
+Forwarded: not-needed
+Applied-Upstream: 1.7.8, commit:0a8d6e19
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2025-01-30
+
+--- a/lib/helpers/isURLSameOrigin.js
++++ b/lib/helpers/isURLSameOrigin.js
+@@ -1,67 +1,16 @@
+ 'use strict';
+ 
+-import utils from './../utils.js';
+ import platform from '../platform/index.js';
+ 
+-export default platform.isStandardBrowserEnv ?
++export default platform.hasStandardBrowserEnv ? ((origin, isMSIE) => (url) => {
++  url = new URL(url, platform.origin);
+ 
+-// Standard browser envs have full support of the APIs needed to test
+-// whether the request URL is of the same origin as current location.
+-  (function standardBrowserEnv() {
+-    const msie = /(msie|trident)/i.test(navigator.userAgent);
+-    const urlParsingNode = document.createElement('a');
+-    let originURL;
+-
+-    /**
+-    * Parse a URL to discover it's components
+-    *
+-    * @param {String} url The URL to be parsed
+-    * @returns {Object}
+-    */
+-    function resolveURL(url) {
+-      let href = url;
+-
+-      if (msie) {
+-        // IE needs attribute set twice to normalize properties
+-        urlParsingNode.setAttribute('href', href);
+-        href = urlParsingNode.href;
+-      }
+-
+-      urlParsingNode.setAttribute('href', href);
+-
+-      // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
+-      return {
+-        href: urlParsingNode.href,
+-        protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
+-        host: urlParsingNode.host,
+-        search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
+-        hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
+-        hostname: urlParsingNode.hostname,
+-        port: urlParsingNode.port,
+-        pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
+-          urlParsingNode.pathname :
+-          '/' + urlParsingNode.pathname
+-      };
+-    }
+-
+-    originURL = resolveURL(window.location.href);
+-
+-    /**
+-    * Determine if a URL shares the same origin as the current location
+-    *
+-    * @param {String} requestURL The URL to test
+-    * @returns {boolean} True if URL shares the same origin, otherwise false
+-    */
+-    return function isURLSameOrigin(requestURL) {
+-      const parsed = (utils.isString(requestURL)) ? resolveURL(requestURL) : requestURL;
+-      return (parsed.protocol === originURL.protocol &&
+-          parsed.host === originURL.host);
+-    };
+-  })() :
+-
+-  // Non standard browser envs (web workers, react-native) lack needed support.
+-  (function nonStandardBrowserEnv() {
+-    return function isURLSameOrigin() {
+-      return true;
+-    };
+-  })();
++  return (
++    origin.protocol === url.protocol &&
++    origin.host === url.host &&
++    (isMSIE || origin.port === url.port)
++  );
++})(
++  new URL(platform.origin),
++  platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent)
++) : () => true;
diff --git a/debian/patches/series b/debian/patches/series
index e4a77c6..120eb8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ update-test-for-formidable-3.patch
 update-rollup-plugins.patch
 reproducible.patch
 CVE-2023-45857.patch
+CVE-2024-57965.patch
