Axios version allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

prismatic-io / spectral

Prismatic's typescript library for custom components

https://prismatic.io/docs/spectral/custom-component-library

35 stars 2 forks source link

Axios version allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. #272

Closed jamesRRL closed 1 month ago

jamesRRL commented 1 month ago

This package relies on Axios 1.6.2 which has a bug that was patched in 1.7.4 that allows server side request forgery

taylorreece commented 1 month ago

Hey @jamesRRL - are you on the latest version of Spectral? It looks like we patched that in @prismatic-io/spectral version 9.1.1 https://github.com/prismatic-io/spectral/pull/262

jamesRRL commented 1 month ago

@taylorreece thanks for the quick reply here! our reliance on spectral stems from the installation of the latest version of prismatic-io/prism (v7.1.2), do you know if that package will be upgraded in line with this one to use the latest spectral version?

taylorreece commented 1 month ago

Hey @jamesRRL , the latest version of prism, @prismatic-io/prism@7.1.4, now relies on the latest spectral, which depends on a patched version of axios.