chakrihacker
commented
3 years ago I will try to make a release this weekend
Open paimon0715 opened 3 years ago
chakrihacker
commented
3 years ago I will try to make a release this weekend
jhpedemonte
commented
3 years ago Note there is another vulnerability (I can open another issue if necessary): CVE-2021-3749, which is only fixed in axios 0.21.2+ (there were some follow on fixes, so 0.21.4 seems to be recommended).
Unfortunately, this causes our app to break (I opened https://github.com/axios/axios/issues/4099 to track the new issue). Basically, when making a call to apisauce's post() with data set to undefined, apisauce sets data to null instead. This results in axios 0.21.2+ to JSON.stringify that value and send an XHR payload of "null", which breaks our app.
Workaround would be for apisauce to instead default data to undefined, since calling JSON.stringify() on that still results in undefined and an empty XHR payload.
jhpedemonte
commented
3 years ago Update: axios was actually incorrect in versions 0.21.1 and lower -- null is a valid value to stringify. So apisauce is incorrect in defaulting to data = null, since this will now be encoded by axios v0.21.2+ as "null" payload. Instead, apisauce should just keep "no data" as data === undefined.
chakrihacker
commented
3 years ago Hey, can you raise a new issue. I will look over the weekend
jhpedemonte
commented
3 years ago
Hi, @skellock @rdewolff, there is a vulnerability introduced in your package apisauce:
Issue Description
A vulnerability CVE-2020-28168 detected in package axios<0.21.1 is directly referenced by apisauce@1.1.2. We noticed that such a vulnerability has been removed since apisauce@2.0.0.
However, apisauce's popular previous version apisauce@1.1.2 (12,294 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 168 downstream projects, e.g., amex-perks-sdk 2.1.3, @graphprotocol/indexer-cli 0.16.0, @kalutheo/uie 0.0.6, ontrac 2.1.8, sunubus-js-utils 1.1.11, rblx-axios-wrapper@0.1.165, etc.). As such, issue CVE-2020-28168 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade apisauce from version 1.1.2 to (>=2.0.0). For instance, apisauce@1.1.2 is introduced into the above projects via the following package dependency paths: (1)
rblx-axios-wrapper@0.1.165 ➔ anticaptcha@2.0.3 ➔ apisauce@1.1.2 ➔ axios@0.19.2......The projects such as anticaptcha, which introduced apisauce@1.1.2, are not maintained anymore. These unmaintained packages can neither upgrade apisauce nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package apisauce@1.1.2?
Suggested Solution
Since these inactive projects set a version constaint 1.1.* for apisauce on the above vulnerable dependency paths, if apisauce removes the vulnerability from 1.1.2 and releases a new patched version apisauce@1.1.3, such a vulnerability patch can be automatically propagated into the 168 affected downstream projects.
In apisauce@1.1.3, you can kindly try to perform the following upgrade:
axios ^0.19.0 ➔ ^0.21.1;Note: axios@0.21.1(>=0.21.1) has fixed the vulnerability (CVE-2020-28168)
Thank you for your contributions.
Best regards, Paimon