From 53817f84e5538e5635df569f23d8cafa3953fb85 Mon Sep 17 00:00:00 2001 From: Valentin Panov Date: Sun, 15 Oct 2023 10:35:28 +0200 Subject: [PATCH 1/3] fix(lib/adapters/xhr.js): CVE-2023-45857 --- lib/adapters/xhr.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/adapters/xhr.js b/lib/adapters/xhr.js index 18b39f2aca..273fe456d4 100644 --- a/lib/adapters/xhr.js +++ b/lib/adapters/xhr.js @@ -188,7 +188,7 @@ export default isXHRAdapterSupported && function (config) { // Specifically not if we're in a web worker, or react-native. if (platform.isStandardBrowserEnv) { // Add xsrf header - const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath)) + const xsrfValue = (config.withCredentials && isURLSameOrigin(fullPath)) && config.xsrfCookieName && cookies.read(config.xsrfCookieName); if (xsrfValue) { From 677c015728af2d81e4957069bcd2f6d0136aee9f Mon Sep 17 00:00:00 2001 From: Valentin Panov Date: Wed, 25 Oct 2023 17:49:56 +0200 Subject: [PATCH 2/3] fix(lib/adapters/xhr.js): regarding CVE-2023-45857 config.withCredentials condition was removed temporarily --- lib/adapters/xhr.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/adapters/xhr.js b/lib/adapters/xhr.js index 273fe456d4..7864b48178 100644 --- a/lib/adapters/xhr.js +++ b/lib/adapters/xhr.js @@ -188,8 +188,8 @@ export default isXHRAdapterSupported && function (config) { // Specifically not if we're in a web worker, or react-native. if (platform.isStandardBrowserEnv) { // Add xsrf header - const xsrfValue = (config.withCredentials && isURLSameOrigin(fullPath)) - && config.xsrfCookieName && cookies.read(config.xsrfCookieName); + // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily + const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName); if (xsrfValue) { requestHeaders.set(config.xsrfHeaderName, xsrfValue); From 46f6e791d5eb724fa2e173a9ea3decfe1d79ba5c Mon Sep 17 00:00:00 2001 From: DigitalBrainJS Date: Thu, 26 Oct 2023 22:26:01 +0300 Subject: [PATCH 3/3] chore(test): convert to negative testcase; --- test/specs/xsrf.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/specs/xsrf.spec.js b/test/specs/xsrf.spec.js index 712a8d7833..add5afc507 100644 --- a/test/specs/xsrf.spec.js +++ b/test/specs/xsrf.spec.js @@ -67,7 +67,7 @@ describe('xsrf', function () { }); }); - it('should set xsrf header for cross origin when using withCredentials', function (done) { + it('should not set xsrf header for cross origin when using withCredentials', function (done) { document.cookie = axios.defaults.xsrfCookieName + '=12345'; axios('http://example.com/', { @@ -75,7 +75,7 @@ describe('xsrf', function () { }); getAjaxRequest().then(function (request) { - expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual('12345'); + expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined); done(); }); });