Cross-site Request Forgery (CSRF) issue with Axios, replace with fetch?

googlemaps / google-maps-services-js

Node.js client library for Google Maps API Web Services

Apache License 2.0

2.92k stars 644 forks source link

Cross-site Request Forgery (CSRF) issue with Axios, replace with fetch? #1065

Open alexbjorlig opened 1 year ago

alexbjorlig commented 1 year ago

There is a new CSRF issue with Axios, check more here: https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Maybe it's time to switch Axios with fetch? Would also make it more easy to support different runtimes than Node.js - like Cloudflare workers.

wangela commented 1 year ago

If you would like to upvote the priority of this issue, please comment below or react on the original post above with :+1: so we can see what is popular when we triage.

@alexbjorlig Thank you for opening this issue. 🙏 Please check out these other resources that might help you get to a resolution in the meantime:

Check the issue tracker - bugs and feature requests for Google Maps Platform APIs and SDKs
Open a support case - Get 1:1 support in Cloud Console.
Discord - chat with other developers
StackOverflow - use the google-maps tag

This is an automated message, feel free to ignore.

flashblaze commented 1 year ago

@alexbjorlig did you resort to using fetch?

alexbjorlig commented 1 year ago

@flashblaze I reported this, because this repo is using Axios - not me 😎

usefulthink commented 12 months ago

That issue doesn't affect our library at all and only applies for usage of axios in the browser. However, we will still update to newer versions of axios as they become available.

alexbjorlig commented 12 months ago

100% - would be amazing if npm security audits were more intelligent, but well 😅

iBobik commented 10 months ago

That issue doesn't affect our library at all and only applies for usage of axios in the browser. @usefulthink

There still is an issue with other then Node and browser environments - Cloudlfare, Deno etc. where Axios does not work (and they are not interested in supporting it).

iBobik commented 9 months ago

Possible workaround is to use this library only for types, but send requests by anything our environment likes:

import { defaultUrl, PlaceAutocompleteRequest, PlaceAutocompleteResponseData } from '@googlemaps/google-maps-services-js/dist/places/autocomplete'

const { googleMapsApiKey } = useRuntimeConfig()

export default defineEventHandler<{ query: {
  input: string
  language: string
  sessionToken: string
} }>(async (event) => {
  const { input, language, sessionToken } = getQuery(event)

  try {
    const data = await $fetch<PlaceAutocompleteResponseData>(defaultUrl, {
      query: {
        input,
        language,
        key: googleMapsApiKey,
        sessiontoken: sessionToken,
      } as PlaceAutocompleteRequest['params']
    })
    if (data.status !== 'OK' && data.status !== 'ZERO_RESULTS')
      throw createError({ statusCode: 400, statusMessage: 'Bad Request' })

    return data
  }
  catch (err) {
    console.log(err)
    throw createError({ statusCode: 500, statusMessage: 'Internal Server Error' })
  }
})