diff --git a/dist/restore/index.js b/dist/restore/index.js index 7b7c1e7..9bb3eaf 100644 --- a/dist/restore/index.js +++ b/dist/restore/index.js @@ -79604,7 +79604,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true })); function once(emitter, name, { signal } = {}) { return new Promise((resolve, reject) => { function cleanup() { - signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', cleanup); + signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort); emitter.removeListener(name, onEvent); emitter.removeListener('error', onError); } @@ -79616,7 +79616,17 @@ function once(emitter, name, { signal } = {}) { cleanup(); reject(err); } - signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', cleanup); + function onAbort() { + cleanup(); + const err = new Error('The operation was aborted'); + err.name = 'AbortError'; + reject(err); + } + if (signal === null || signal === void 0 ? void 0 : signal.aborted) { + onAbort(); + return; + } + signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', onAbort); emitter.on(name, onEvent); emitter.on('error', onError); }); @@ -80559,6 +80569,241 @@ function descending(a, b) } +/***/ }), + +/***/ 17401: +/***/ (function(module, __unused_webpack_exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +const events_1 = __nccwpck_require__(82361); +const debug_1 = __importDefault(__nccwpck_require__(38237)); +const promisify_1 = __importDefault(__nccwpck_require__(76948)); +const debug = debug_1.default('agent-base'); +function isAgent(v) { + return Boolean(v) && typeof v.addRequest === 'function'; +} +function isSecureEndpoint() { + const { stack } = new Error(); + if (typeof stack !== 'string') + return false; + return stack.split('\n').some(l => l.indexOf('(https.js:') !== -1 || l.indexOf('node:https:') !== -1); +} +function createAgent(callback, opts) { + return new createAgent.Agent(callback, opts); +} +(function (createAgent) { + /** + * Base `http.Agent` implementation. + * No pooling/keep-alive is implemented by default. + * + * @param {Function} callback + * @api public + */ + class Agent extends events_1.EventEmitter { + constructor(callback, _opts) { + super(); + let opts = _opts; + if (typeof callback === 'function') { + this.callback = callback; + } + else if (callback) { + opts = callback; + } + // Timeout for the socket to be returned from the callback + this.timeout = null; + if (opts && typeof opts.timeout === 'number') { + this.timeout = opts.timeout; + } + // These aren't actually used by `agent-base`, but are required + // for the TypeScript definition files in `@types/node` :/ + this.maxFreeSockets = 1; + this.maxSockets = 1; + this.maxTotalSockets = Infinity; + this.sockets = {}; + this.freeSockets = {}; + this.requests = {}; + this.options = {}; + } + get defaultPort() { + if (typeof this.explicitDefaultPort === 'number') { + return this.explicitDefaultPort; + } + return isSecureEndpoint() ? 443 : 80; + } + set defaultPort(v) { + this.explicitDefaultPort = v; + } + get protocol() { + if (typeof this.explicitProtocol === 'string') { + return this.explicitProtocol; + } + return isSecureEndpoint() ? 'https:' : 'http:'; + } + set protocol(v) { + this.explicitProtocol = v; + } + callback(req, opts, fn) { + throw new Error('"agent-base" has no default implementation, you must subclass and override `callback()`'); + } + /** + * Called by node-core's "_http_client.js" module when creating + * a new HTTP request with this Agent instance. + * + * @api public + */ + addRequest(req, _opts) { + const opts = Object.assign({}, _opts); + if (typeof opts.secureEndpoint !== 'boolean') { + opts.secureEndpoint = isSecureEndpoint(); + } + if (opts.host == null) { + opts.host = 'localhost'; + } + if (opts.port == null) { + opts.port = opts.secureEndpoint ? 443 : 80; + } + if (opts.protocol == null) { + opts.protocol = opts.secureEndpoint ? 'https:' : 'http:'; + } + if (opts.host && opts.path) { + // If both a `host` and `path` are specified then it's most + // likely the result of a `url.parse()` call... we need to + // remove the `path` portion so that `net.connect()` doesn't + // attempt to open that as a unix socket file. + delete opts.path; + } + delete opts.agent; + delete opts.hostname; + delete opts._defaultAgent; + delete opts.defaultPort; + delete opts.createConnection; + // Hint to use "Connection: close" + // XXX: non-documented `http` module API :( + req._last = true; + req.shouldKeepAlive = false; + let timedOut = false; + let timeoutId = null; + const timeoutMs = opts.timeout || this.timeout; + const onerror = (err) => { + if (req._hadError) + return; + req.emit('error', err); + // For Safety. Some additional errors might fire later on + // and we need to make sure we don't double-fire the error event. + req._hadError = true; + }; + const ontimeout = () => { + timeoutId = null; + timedOut = true; + const err = new Error(`A "socket" was not created for HTTP request before ${timeoutMs}ms`); + err.code = 'ETIMEOUT'; + onerror(err); + }; + const callbackError = (err) => { + if (timedOut) + return; + if (timeoutId !== null) { + clearTimeout(timeoutId); + timeoutId = null; + } + onerror(err); + }; + const onsocket = (socket) => { + if (timedOut) + return; + if (timeoutId != null) { + clearTimeout(timeoutId); + timeoutId = null; + } + if (isAgent(socket)) { + // `socket` is actually an `http.Agent` instance, so + // relinquish responsibility for this `req` to the Agent + // from here on + debug('Callback returned another Agent instance %o', socket.constructor.name); + socket.addRequest(req, opts); + return; + } + if (socket) { + socket.once('free', () => { + this.freeSocket(socket, opts); + }); + req.onSocket(socket); + return; + } + const err = new Error(`no Duplex stream was returned to agent-base for \`${req.method} ${req.path}\``); + onerror(err); + }; + if (typeof this.callback !== 'function') { + onerror(new Error('`callback` is not defined')); + return; + } + if (!this.promisifiedCallback) { + if (this.callback.length >= 3) { + debug('Converting legacy callback function to promise'); + this.promisifiedCallback = promisify_1.default(this.callback); + } + else { + this.promisifiedCallback = this.callback; + } + } + if (typeof timeoutMs === 'number' && timeoutMs > 0) { + timeoutId = setTimeout(ontimeout, timeoutMs); + } + if ('port' in opts && typeof opts.port !== 'number') { + opts.port = Number(opts.port); + } + try { + debug('Resolving socket for %o request: %o', opts.protocol, `${req.method} ${req.path}`); + Promise.resolve(this.promisifiedCallback(req, opts)).then(onsocket, callbackError); + } + catch (err) { + Promise.reject(err).catch(callbackError); + } + } + freeSocket(socket, opts) { + debug('Freeing socket %o %o', socket.constructor.name, opts); + socket.destroy(); + } + destroy() { + debug('Destroying agent %o', this.constructor.name); + } + } + createAgent.Agent = Agent; + // So that `instanceof` works correctly + createAgent.prototype = createAgent.Agent.prototype; +})(createAgent || (createAgent = {})); +module.exports = createAgent; +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 76948: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +function promisify(fn) { + return function (req, opts) { + return new Promise((resolve, reject) => { + fn.call(this, req, opts, (err, rtn) => { + if (err) { + reject(err); + } + else { + resolve(rtn); + } + }); + }); + }; +} +exports["default"] = promisify; +//# sourceMappingURL=promisify.js.map + /***/ }), /***/ 91403: @@ -81079,6 +81324,284 @@ module.exports = function (dst, src) { }; +/***/ }), + +/***/ 39808: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +const net_1 = __importDefault(__nccwpck_require__(41808)); +const tls_1 = __importDefault(__nccwpck_require__(24404)); +const url_1 = __importDefault(__nccwpck_require__(57310)); +const assert_1 = __importDefault(__nccwpck_require__(39491)); +const debug_1 = __importDefault(__nccwpck_require__(38237)); +const agent_base_1 = __nccwpck_require__(17401); +const parse_proxy_response_1 = __importDefault(__nccwpck_require__(88494)); +const debug = debug_1.default('https-proxy-agent:agent'); +/** + * The `HttpsProxyAgent` implements an HTTP Agent subclass that connects to + * the specified "HTTP(s) proxy server" in order to proxy HTTPS requests. + * + * Outgoing HTTP requests are first tunneled through the proxy server using the + * `CONNECT` HTTP request method to establish a connection to the proxy server, + * and then the proxy server connects to the destination target and issues the + * HTTP request from the proxy server. + * + * `https:` requests have their socket connection upgraded to TLS once + * the connection to the proxy server has been established. + * + * @api public + */ +class HttpsProxyAgent extends agent_base_1.Agent { + constructor(_opts) { + let opts; + if (typeof _opts === 'string') { + opts = url_1.default.parse(_opts); + } + else { + opts = _opts; + } + if (!opts) { + throw new Error('an HTTP(S) proxy server `host` and `port` must be specified!'); + } + debug('creating new HttpsProxyAgent instance: %o', opts); + super(opts); + const proxy = Object.assign({}, opts); + // If `true`, then connect to the proxy server over TLS. + // Defaults to `false`. + this.secureProxy = opts.secureProxy || isHTTPS(proxy.protocol); + // Prefer `hostname` over `host`, and set the `port` if needed. + proxy.host = proxy.hostname || proxy.host; + if (typeof proxy.port === 'string') { + proxy.port = parseInt(proxy.port, 10); + } + if (!proxy.port && proxy.host) { + proxy.port = this.secureProxy ? 443 : 80; + } + // ALPN is supported by Node.js >= v5. + // attempt to negotiate http/1.1 for proxy servers that support http/2 + if (this.secureProxy && !('ALPNProtocols' in proxy)) { + proxy.ALPNProtocols = ['http 1.1']; + } + if (proxy.host && proxy.path) { + // If both a `host` and `path` are specified then it's most likely + // the result of a `url.parse()` call... we need to remove the + // `path` portion so that `net.connect()` doesn't attempt to open + // that as a Unix socket file. + delete proxy.path; + delete proxy.pathname; + } + this.proxy = proxy; + } + /** + * Called when the node-core HTTP client library is creating a + * new HTTP request. + * + * @api protected + */ + callback(req, opts) { + return __awaiter(this, void 0, void 0, function* () { + const { proxy, secureProxy } = this; + // Create a socket connection to the proxy server. + let socket; + if (secureProxy) { + debug('Creating `tls.Socket`: %o', proxy); + socket = tls_1.default.connect(proxy); + } + else { + debug('Creating `net.Socket`: %o', proxy); + socket = net_1.default.connect(proxy); + } + const headers = Object.assign({}, proxy.headers); + const hostname = `${opts.host}:${opts.port}`; + let payload = `CONNECT ${hostname} HTTP/1.1\r\n`; + // Inject the `Proxy-Authorization` header if necessary. + if (proxy.auth) { + headers['Proxy-Authorization'] = `Basic ${Buffer.from(proxy.auth).toString('base64')}`; + } + // The `Host` header should only include the port + // number when it is not the default port. + let { host, port, secureEndpoint } = opts; + if (!isDefaultPort(port, secureEndpoint)) { + host += `:${port}`; + } + headers.Host = host; + headers.Connection = 'close'; + for (const name of Object.keys(headers)) { + payload += `${name}: ${headers[name]}\r\n`; + } + const proxyResponsePromise = parse_proxy_response_1.default(socket); + socket.write(`${payload}\r\n`); + const { statusCode, buffered } = yield proxyResponsePromise; + if (statusCode === 200) { + req.once('socket', resume); + if (opts.secureEndpoint) { + // The proxy is connecting to a TLS server, so upgrade + // this socket connection to a TLS connection. + debug('Upgrading socket connection to TLS'); + const servername = opts.servername || opts.host; + return tls_1.default.connect(Object.assign(Object.assign({}, omit(opts, 'host', 'hostname', 'path', 'port')), { socket, + servername })); + } + return socket; + } + // Some other status code that's not 200... need to re-play the HTTP + // header "data" events onto the socket once the HTTP machinery is + // attached so that the node core `http` can parse and handle the + // error status code. + // Close the original socket, and a new "fake" socket is returned + // instead, so that the proxy doesn't get the HTTP request + // written to it (which may contain `Authorization` headers or other + // sensitive data). + // + // See: https://hackerone.com/reports/541502 + socket.destroy(); + const fakeSocket = new net_1.default.Socket({ writable: false }); + fakeSocket.readable = true; + // Need to wait for the "socket" event to re-play the "data" events. + req.once('socket', (s) => { + debug('replaying proxy buffer for failed request'); + assert_1.default(s.listenerCount('data') > 0); + // Replay the "buffered" Buffer onto the fake `socket`, since at + // this point the HTTP module machinery has been hooked up for + // the user. + s.push(buffered); + s.push(null); + }); + return fakeSocket; + }); + } +} +exports["default"] = HttpsProxyAgent; +function resume(socket) { + socket.resume(); +} +function isDefaultPort(port, secure) { + return Boolean((!secure && port === 80) || (secure && port === 443)); +} +function isHTTPS(protocol) { + return typeof protocol === 'string' ? /^https:?$/i.test(protocol) : false; +} +function omit(obj, ...keys) { + const ret = {}; + let key; + for (key in obj) { + if (!keys.includes(key)) { + ret[key] = obj[key]; + } + } + return ret; +} +//# sourceMappingURL=agent.js.map + +/***/ }), + +/***/ 28414: +/***/ (function(module, __unused_webpack_exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +const agent_1 = __importDefault(__nccwpck_require__(39808)); +function createHttpsProxyAgent(opts) { + return new agent_1.default(opts); +} +(function (createHttpsProxyAgent) { + createHttpsProxyAgent.HttpsProxyAgent = agent_1.default; + createHttpsProxyAgent.prototype = agent_1.default.prototype; +})(createHttpsProxyAgent || (createHttpsProxyAgent = {})); +module.exports = createHttpsProxyAgent; +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 88494: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +const debug_1 = __importDefault(__nccwpck_require__(38237)); +const debug = debug_1.default('https-proxy-agent:parse-proxy-response'); +function parseProxyResponse(socket) { + return new Promise((resolve, reject) => { + // we need to buffer any HTTP traffic that happens with the proxy before we get + // the CONNECT response, so that if the response is anything other than an "200" + // response code, then we can re-play the "data" events on the socket once the + // HTTP parser is hooked up... + let buffersLength = 0; + const buffers = []; + function read() { + const b = socket.read(); + if (b) + ondata(b); + else + socket.once('readable', read); + } + function cleanup() { + socket.removeListener('end', onend); + socket.removeListener('error', onerror); + socket.removeListener('close', onclose); + socket.removeListener('readable', read); + } + function onclose(err) { + debug('onclose had error %o', err); + } + function onend() { + debug('onend'); + } + function onerror(err) { + cleanup(); + debug('onerror %o', err); + reject(err); + } + function ondata(b) { + buffers.push(b); + buffersLength += b.length; + const buffered = Buffer.concat(buffers, buffersLength); + const endOfHeaders = buffered.indexOf('\r\n\r\n'); + if (endOfHeaders === -1) { + // keep buffering + debug('have not received end of HTTP headers yet...'); + read(); + return; + } + const firstLine = buffered.toString('ascii', 0, buffered.indexOf('\r\n')); + const statusCode = +firstLine.split(' ')[1]; + debug('got proxy server response: %o', firstLine); + resolve({ + statusCode, + buffered + }); + } + socket.on('error', onerror); + socket.on('close', onclose); + socket.on('end', onend); + read(); + }); +} +exports["default"] = parseProxyResponse; +//# sourceMappingURL=parse-proxy-response.js.map + /***/ }), /***/ 9417: @@ -194670,16 +195193,18 @@ exports.getPackageJSON = getPackageJSON; /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { "use strict"; -/*! Axios v1.15.0 Copyright (c) 2026 Matt Zabriskie and contributors */ +/*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */ var FormData$1 = __nccwpck_require__(91403); var crypto = __nccwpck_require__(6113); var url = __nccwpck_require__(57310); +var HttpsProxyAgent = __nccwpck_require__(28414); var http = __nccwpck_require__(13685); var https = __nccwpck_require__(95687); var http2 = __nccwpck_require__(85158); var util = __nccwpck_require__(73837); +var path = __nccwpck_require__(71017); var followRedirects = __nccwpck_require__(67707); var zlib = __nccwpck_require__(59796); var stream = __nccwpck_require__(12781); @@ -194879,9 +195404,9 @@ const isFile = kindOfTest('File'); * also have a `name` and `type` attribute to specify filename and content type * * @see https://github.com/facebook/react-native/blob/26684cf3adf4094eb6c405d345a75bf8c7c0bf88/Libraries/Network/FormData.js#L68-L71 - * + * * @param {*} value The value to test - * + * * @returns {boolean} True if value is a React Native Blob, otherwise false */ const isReactNativeBlob = value => { @@ -194891,9 +195416,9 @@ const isReactNativeBlob = value => { /** * Determine if environment is React Native * ReactNative `FormData` has a non-standard `getParts()` method - * + * * @param {*} formData The formData to test - * + * * @returns {boolean} True if environment is React Native, otherwise false */ const isReactNative = formData => formData && typeof formData.getParts !== 'undefined'; @@ -194912,7 +195437,7 @@ const isBlob = kindOfTest('Blob'); * * @param {*} val The value to test * - * @returns {boolean} True if value is a File, otherwise false + * @returns {boolean} True if value is a FileList, otherwise false */ const isFileList = kindOfTest('FileList'); @@ -194942,10 +195467,16 @@ function getGlobal() { const G = getGlobal(); const FormDataCtor = typeof G.FormData !== 'undefined' ? G.FormData : undefined; const isFormData = thing => { - let kind; - return thing && (FormDataCtor && thing instanceof FormDataCtor || isFunction$1(thing.append) && ((kind = kindOf(thing)) === 'formdata' || + if (!thing) return false; + if (FormDataCtor && thing instanceof FormDataCtor) return true; + // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData. + const proto = getPrototypeOf(thing); + if (!proto || proto === Object.prototype) return false; + if (!isFunction$1(thing.append)) return false; + const kind = kindOf(thing); + return kind === 'formdata' || // detect form-data instance - kind === 'object' && isFunction$1(thing.toString) && thing.toString() === '[object FormData]')); + kind === 'object' && isFunction$1(thing.toString) && thing.toString() === '[object FormData]'; }; /** @@ -195070,8 +195601,7 @@ const isContextDefined = context => !isUndefined(context) && context !== _global * * @returns {Object} Result of all merge properties */ -function merge(/* obj1, obj2, obj3, ... */ -) { +function merge(...objs) { const { caseless, skipUndefined @@ -195083,8 +195613,12 @@ function merge(/* obj1, obj2, obj3, ... */ return; } const targetKey = caseless && findKey(result, key) || key; - if (isPlainObject(result[targetKey]) && isPlainObject(val)) { - result[targetKey] = merge(result[targetKey], val); + // Read via own-prop only — a bare `result[targetKey]` walks the prototype + // chain, so a polluted Object.prototype value could surface here and get + // copied into the merged result. + const existing = hasOwnProperty(result, targetKey) ? result[targetKey] : undefined; + if (isPlainObject(existing) && isPlainObject(val)) { + result[targetKey] = merge(existing, val); } else if (isPlainObject(val)) { result[targetKey] = merge({}, val); } else if (isArray(val)) { @@ -195093,8 +195627,8 @@ function merge(/* obj1, obj2, obj3, ... */ result[targetKey] = val; } }; - for (let i = 0, l = arguments.length; i < l; i++) { - arguments[i] && forEach(arguments[i], assignValue); + for (let i = 0, l = objs.length; i < l; i++) { + objs[i] && forEach(objs[i], assignValue); } return result; } @@ -195116,6 +195650,9 @@ const extend = (a, b, thisArg, { forEach(b, (val, key) => { if (thisArg && isFunction$1(val)) { Object.defineProperty(a, key, { + // Null-proto descriptor so a polluted Object.prototype.get cannot + // hijack defineProperty's accessor-vs-data resolution. + __proto__: null, value: bind(val, thisArg), writable: true, enumerable: true, @@ -195123,6 +195660,7 @@ const extend = (a, b, thisArg, { }); } else { Object.defineProperty(a, key, { + __proto__: null, value: val, writable: true, enumerable: true, @@ -195161,12 +195699,14 @@ const stripBOM = content => { const inherits = (constructor, superConstructor, props, descriptors) => { constructor.prototype = Object.create(superConstructor.prototype, descriptors); Object.defineProperty(constructor.prototype, 'constructor', { + __proto__: null, value: constructor, writable: true, enumerable: false, configurable: true }); Object.defineProperty(constructor, 'super', { + __proto__: null, value: superConstructor.prototype }); props && Object.assign(constructor.prototype, props); @@ -195334,7 +195874,7 @@ const reduceDescriptors = (obj, reducer) => { const freezeMethods = obj => { reduceDescriptors(obj, (descriptor, name) => { // skip restricted props in strict mode - if (isFunction$1(obj) && ['arguments', 'caller', 'callee'].indexOf(name) !== -1) { + if (isFunction$1(obj) && ['arguments', 'caller', 'callee'].includes(name)) { return false; } const value = obj[name]; @@ -195393,10 +195933,10 @@ function isSpecCompliantForm(thing) { * @returns {Object} The JSON-compatible object. */ const toJSONObject = obj => { - const stack = new Array(10); - const visit = (source, i) => { + const visited = new WeakSet(); + const visit = source => { if (isObject(source)) { - if (stack.indexOf(source) >= 0) { + if (visited.has(source)) { return; } @@ -195405,19 +195945,20 @@ const toJSONObject = obj => { return source; } if (!('toJSON' in source)) { - stack[i] = source; + // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230). + visited.add(source); const target = isArray(source) ? [] : {}; forEach(source, (value, key) => { - const reducedValue = visit(value, i + 1); + const reducedValue = visit(value); !isUndefined(reducedValue) && (target[key] = reducedValue); }); - stack[i] = undefined; + visited.delete(source); return target; } } return source; }; - return visit(obj, 0); + return visit(obj); }; /** @@ -195541,6 +196082,382 @@ var utils$1 = { isIterable }; +// RawAxiosHeaders whose duplicates are ignored by node +// c.f. https://nodejs.org/api/http.html#http_message_headers +const ignoreDuplicateOf = utils$1.toObjectSet(['age', 'authorization', 'content-length', 'content-type', 'etag', 'expires', 'from', 'host', 'if-modified-since', 'if-unmodified-since', 'last-modified', 'location', 'max-forwards', 'proxy-authorization', 'referer', 'retry-after', 'user-agent']); + +/** + * Parse headers into an object + * + * ``` + * Date: Wed, 27 Aug 2014 08:58:49 GMT + * Content-Type: application/json + * Connection: keep-alive + * Transfer-Encoding: chunked + * ``` + * + * @param {String} rawHeaders Headers needing to be parsed + * + * @returns {Object} Headers parsed into an object + */ +var parseHeaders = rawHeaders => { + const parsed = {}; + let key; + let val; + let i; + rawHeaders && rawHeaders.split('\n').forEach(function parser(line) { + i = line.indexOf(':'); + key = line.substring(0, i).trim().toLowerCase(); + val = line.substring(i + 1).trim(); + if (!key || parsed[key] && ignoreDuplicateOf[key]) { + return; + } + if (key === 'set-cookie') { + if (parsed[key]) { + parsed[key].push(val); + } else { + parsed[key] = [val]; + } + } else { + parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; + } + }); + return parsed; +}; + +function trimSPorHTAB(str) { + let start = 0; + let end = str.length; + while (start < end) { + const code = str.charCodeAt(start); + if (code !== 0x09 && code !== 0x20) { + break; + } + start += 1; + } + while (end > start) { + const code = str.charCodeAt(end - 1); + if (code !== 0x09 && code !== 0x20) { + break; + } + end -= 1; + } + return start === 0 && end === str.length ? str : str.slice(start, end); +} + +// The control-code ranges are intentional: header sanitization strips C0/DEL bytes. +// eslint-disable-next-line no-control-regex +const INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp('[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+', 'g'); +// eslint-disable-next-line no-control-regex +const INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp('[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+', 'g'); +function sanitizeValue(value, invalidChars) { + if (utils$1.isArray(value)) { + return value.map(item => sanitizeValue(item, invalidChars)); + } + return trimSPorHTAB(String(value).replace(invalidChars, '')); +} +const sanitizeHeaderValue = value => sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS); +const sanitizeByteStringHeaderValue = value => sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS); +function toByteStringHeaderObject(headers) { + const byteStringHeaders = Object.create(null); + utils$1.forEach(headers.toJSON(), (value, header) => { + byteStringHeaders[header] = sanitizeByteStringHeaderValue(value); + }); + return byteStringHeaders; +} + +const $internals = Symbol('internals'); +function normalizeHeader(header) { + return header && String(header).trim().toLowerCase(); +} +function normalizeValue(value) { + if (value === false || value == null) { + return value; + } + return utils$1.isArray(value) ? value.map(normalizeValue) : sanitizeHeaderValue(String(value)); +} +function parseTokens(str) { + const tokens = Object.create(null); + const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; + let match; + while (match = tokensRE.exec(str)) { + tokens[match[1]] = match[2]; + } + return tokens; +} +const isValidHeaderName = str => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); +function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { + if (utils$1.isFunction(filter)) { + return filter.call(this, value, header); + } + if (isHeaderNameFilter) { + value = header; + } + if (!utils$1.isString(value)) return; + if (utils$1.isString(filter)) { + return value.indexOf(filter) !== -1; + } + if (utils$1.isRegExp(filter)) { + return filter.test(value); + } +} +function formatHeader(header) { + return header.trim().toLowerCase().replace(/([a-z\d])(\w*)/g, (w, char, str) => { + return char.toUpperCase() + str; + }); +} +function buildAccessors(obj, header) { + const accessorName = utils$1.toCamelCase(' ' + header); + ['get', 'set', 'has'].forEach(methodName => { + Object.defineProperty(obj, methodName + accessorName, { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: function (arg1, arg2, arg3) { + return this[methodName].call(this, header, arg1, arg2, arg3); + }, + configurable: true + }); + }); +} +class AxiosHeaders { + constructor(headers) { + headers && this.set(headers); + } + set(header, valueOrRewrite, rewrite) { + const self = this; + function setHeader(_value, _header, _rewrite) { + const lHeader = normalizeHeader(_header); + if (!lHeader) { + throw new Error('header name must be a non-empty string'); + } + const key = utils$1.findKey(self, lHeader); + if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) { + self[key || _header] = normalizeValue(_value); + } + } + const setHeaders = (headers, _rewrite) => utils$1.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); + if (utils$1.isPlainObject(header) || header instanceof this.constructor) { + setHeaders(header, valueOrRewrite); + } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { + setHeaders(parseHeaders(header), valueOrRewrite); + } else if (utils$1.isObject(header) && utils$1.isIterable(header)) { + let obj = {}, + dest, + key; + for (const entry of header) { + if (!utils$1.isArray(entry)) { + throw TypeError('Object iterator must return a key-value pair'); + } + obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1]; + } + setHeaders(obj, valueOrRewrite); + } else { + header != null && setHeader(valueOrRewrite, header, rewrite); + } + return this; + } + get(header, parser) { + header = normalizeHeader(header); + if (header) { + const key = utils$1.findKey(this, header); + if (key) { + const value = this[key]; + if (!parser) { + return value; + } + if (parser === true) { + return parseTokens(value); + } + if (utils$1.isFunction(parser)) { + return parser.call(this, value, key); + } + if (utils$1.isRegExp(parser)) { + return parser.exec(value); + } + throw new TypeError('parser must be boolean|regexp|function'); + } + } + } + has(header, matcher) { + header = normalizeHeader(header); + if (header) { + const key = utils$1.findKey(this, header); + return !!(key && this[key] !== undefined && (!matcher || matchHeaderValue(this, this[key], key, matcher))); + } + return false; + } + delete(header, matcher) { + const self = this; + let deleted = false; + function deleteHeader(_header) { + _header = normalizeHeader(_header); + if (_header) { + const key = utils$1.findKey(self, _header); + if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { + delete self[key]; + deleted = true; + } + } + } + if (utils$1.isArray(header)) { + header.forEach(deleteHeader); + } else { + deleteHeader(header); + } + return deleted; + } + clear(matcher) { + const keys = Object.keys(this); + let i = keys.length; + let deleted = false; + while (i--) { + const key = keys[i]; + if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { + delete this[key]; + deleted = true; + } + } + return deleted; + } + normalize(format) { + const self = this; + const headers = {}; + utils$1.forEach(this, (value, header) => { + const key = utils$1.findKey(headers, header); + if (key) { + self[key] = normalizeValue(value); + delete self[header]; + return; + } + const normalized = format ? formatHeader(header) : String(header).trim(); + if (normalized !== header) { + delete self[header]; + } + self[normalized] = normalizeValue(value); + headers[normalized] = true; + }); + return this; + } + concat(...targets) { + return this.constructor.concat(this, ...targets); + } + toJSON(asStrings) { + const obj = Object.create(null); + utils$1.forEach(this, (value, header) => { + value != null && value !== false && (obj[header] = asStrings && utils$1.isArray(value) ? value.join(', ') : value); + }); + return obj; + } + [Symbol.iterator]() { + return Object.entries(this.toJSON())[Symbol.iterator](); + } + toString() { + return Object.entries(this.toJSON()).map(([header, value]) => header + ': ' + value).join('\n'); + } + getSetCookie() { + return this.get('set-cookie') || []; + } + get [Symbol.toStringTag]() { + return 'AxiosHeaders'; + } + static from(thing) { + return thing instanceof this ? thing : new this(thing); + } + static concat(first, ...targets) { + const computed = new this(first); + targets.forEach(target => computed.set(target)); + return computed; + } + static accessor(header) { + const internals = this[$internals] = this[$internals] = { + accessors: {} + }; + const accessors = internals.accessors; + const prototype = this.prototype; + function defineAccessor(_header) { + const lHeader = normalizeHeader(_header); + if (!accessors[lHeader]) { + buildAccessors(prototype, _header); + accessors[lHeader] = true; + } + } + utils$1.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); + return this; + } +} +AxiosHeaders.accessor(['Content-Type', 'Content-Length', 'Accept', 'Accept-Encoding', 'User-Agent', 'Authorization']); + +// reserved names hotfix +utils$1.reduceDescriptors(AxiosHeaders.prototype, ({ + value +}, key) => { + let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` + return { + get: () => value, + set(headerValue) { + this[mapped] = headerValue; + } + }; +}); +utils$1.freezeMethods(AxiosHeaders); + +const REDACTED = '[REDACTED ****]'; +function hasOwnOrPrototypeToJSON(source) { + if (utils$1.hasOwnProp(source, 'toJSON')) { + return true; + } + let prototype = Object.getPrototypeOf(source); + while (prototype && prototype !== Object.prototype) { + if (utils$1.hasOwnProp(prototype, 'toJSON')) { + return true; + } + prototype = Object.getPrototypeOf(prototype); + } + return false; +} + +// Build a plain-object snapshot of `config` and replace the value of any key +// (case-insensitive) listed in `redactKeys` with REDACTED. Walks through arrays +// and AxiosHeaders, and short-circuits on circular references. +function redactConfig(config, redactKeys) { + const lowerKeys = new Set(redactKeys.map(k => String(k).toLowerCase())); + const seen = []; + const visit = source => { + if (source === null || typeof source !== 'object') return source; + if (utils$1.isBuffer(source)) return source; + if (seen.indexOf(source) !== -1) return undefined; + if (source instanceof AxiosHeaders) { + source = source.toJSON(); + } + seen.push(source); + let result; + if (utils$1.isArray(source)) { + result = []; + source.forEach((v, i) => { + const reducedValue = visit(v); + if (!utils$1.isUndefined(reducedValue)) { + result[i] = reducedValue; + } + }); + } else { + if (!utils$1.isPlainObject(source) && hasOwnOrPrototypeToJSON(source)) { + seen.pop(); + return source; + } + result = Object.create(null); + for (const [key, value] of Object.entries(source)) { + const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value); + if (!utils$1.isUndefined(reducedValue)) { + result[key] = reducedValue; + } + } + } + seen.pop(); + return result; + }; + return visit(config); +} class AxiosError extends Error { static from(error, code, config, request, response, customProps) { const axiosError = new AxiosError(error.message, code || error.code, config, request, response); @@ -195573,6 +196490,9 @@ class AxiosError extends Error { // The native Error constructor sets message as non-enumerable, // but axios < v1.13.3 had it as enumerable Object.defineProperty(this, 'message', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, value: message, enumerable: true, writable: true, @@ -195589,6 +196509,13 @@ class AxiosError extends Error { } } toJSON() { + // Opt-in redaction: when the request config carries a `redact` array, the + // value of any matching key (case-insensitive, at any depth) is replaced + // with REDACTED in the serialized snapshot. Undefined or empty leaves the + // existing serialization behavior unchanged. + const config = this.config; + const redactKeys = config && utils$1.hasOwnProp(config, 'redact') ? config.redact : undefined; + const serializedConfig = utils$1.isArray(redactKeys) && redactKeys.length > 0 ? redactConfig(config, redactKeys) : utils$1.toJSONObject(config); return { // Standard message: this.message, @@ -195602,7 +196529,7 @@ class AxiosError extends Error { columnNumber: this.columnNumber, stack: this.stack, // Axios - config: utils$1.toJSONObject(this.config), + config: serializedConfig, code: this.code, status: this.status }; @@ -195614,6 +196541,7 @@ AxiosError.ERR_BAD_OPTION_VALUE = 'ERR_BAD_OPTION_VALUE'; AxiosError.ERR_BAD_OPTION = 'ERR_BAD_OPTION'; AxiosError.ECONNABORTED = 'ECONNABORTED'; AxiosError.ETIMEDOUT = 'ETIMEDOUT'; +AxiosError.ECONNREFUSED = 'ECONNREFUSED'; AxiosError.ERR_NETWORK = 'ERR_NETWORK'; AxiosError.ERR_FR_TOO_MANY_REDIRECTS = 'ERR_FR_TOO_MANY_REDIRECTS'; AxiosError.ERR_DEPRECATED = 'ERR_DEPRECATED'; @@ -195622,6 +196550,7 @@ AxiosError.ERR_BAD_REQUEST = 'ERR_BAD_REQUEST'; AxiosError.ERR_CANCELED = 'ERR_CANCELED'; AxiosError.ERR_NOT_SUPPORT = 'ERR_NOT_SUPPORT'; AxiosError.ERR_INVALID_URL = 'ERR_INVALID_URL'; +AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED'; /** * Determines if the given thing is a array or js object. @@ -195723,6 +196652,7 @@ function toFormData(obj, formData, options) { const dots = options.dots; const indexes = options.indexes; const _Blob = options.Blob || typeof Blob !== 'undefined' && Blob; + const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth; const useBlob = _Blob && utils$1.isSpecCompliantForm(formData); if (!utils$1.isFunction(visitor)) { throw new TypeError('visitor must be a function'); @@ -195789,8 +196719,11 @@ function toFormData(obj, formData, options) { convertValue, isVisitable }); - function build(value, path) { + function build(value, path, depth = 0) { if (utils$1.isUndefined(value)) return; + if (depth > maxDepth) { + throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED); + } if (stack.indexOf(value) !== -1) { throw Error('Circular reference detected in ' + path.join('.')); } @@ -195798,7 +196731,7 @@ function toFormData(obj, formData, options) { utils$1.forEach(value, function each(el, key) { const result = !(utils$1.isUndefined(el) || el === null) && visitor.call(formData, el, utils$1.isString(key) ? key.trim() : key, path, exposedHelpers); if (result === true) { - build(el, path ? path.concat(key) : [key]); + build(el, path ? path.concat(key) : [key], depth + 1); } }); stack.pop(); @@ -195825,10 +196758,9 @@ function encode$1(str) { '(': '%28', ')': '%29', '~': '%7E', - '%20': '+', - '%00': '\x00' + '%20': '+' }; - return encodeURIComponent(str).replace(/[!'()~]|%20|%00/g, function replacer(match) { + return encodeURIComponent(str).replace(/[!'()~]|%20/g, function replacer(match) { return charMap[match]; }); } @@ -196129,13 +197061,13 @@ function formDataToJSON(formData) { name = !name && utils$1.isArray(target) ? target.length : name; if (isLast) { if (utils$1.hasOwnProp(target, name)) { - target[name] = [target[name], value]; + target[name] = utils$1.isArray(target[name]) ? target[name].concat(value) : [target[name], value]; } else { target[name] = value; } return !isNumericKey; } - if (!target[name] || !utils$1.isObject(target[name])) { + if (!utils$1.hasOwnProp(target, name) || !utils$1.isObject(target[name])) { target[name] = []; } const result = buildPath(path, value, target[name], index); @@ -196154,6 +197086,8 @@ function formDataToJSON(formData) { return null; } +const own = (obj, key) => obj != null && utils$1.hasOwnProp(obj, key) ? obj[key] : undefined; + /** * It takes a string, tries to parse it, and if it fails, it returns the stringified version * of the input @@ -196203,14 +197137,16 @@ const defaults = { } let isFileList; if (isObjectPayload) { + const formSerializer = own(this, 'formSerializer'); if (contentType.indexOf('application/x-www-form-urlencoded') > -1) { - return toURLEncodedForm(data, this.formSerializer).toString(); + return toURLEncodedForm(data, formSerializer).toString(); } if ((isFileList = utils$1.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) { - const _FormData = this.env && this.env.FormData; + const env = own(this, 'env'); + const _FormData = env && env.FormData; return toFormData(isFileList ? { 'files[]': data - } : data, _FormData && new _FormData(), this.formSerializer); + } : data, _FormData && new _FormData(), formSerializer); } } if (isObjectPayload || hasJSONContentType) { @@ -196220,21 +197156,22 @@ const defaults = { return data; }], transformResponse: [function transformResponse(data) { - const transitional = this.transitional || defaults.transitional; + const transitional = own(this, 'transitional') || defaults.transitional; const forcedJSONParsing = transitional && transitional.forcedJSONParsing; - const JSONRequested = this.responseType === 'json'; + const responseType = own(this, 'responseType'); + const JSONRequested = responseType === 'json'; if (utils$1.isResponse(data) || utils$1.isReadableStream(data)) { return data; } - if (data && utils$1.isString(data) && (forcedJSONParsing && !this.responseType || JSONRequested)) { + if (data && utils$1.isString(data) && (forcedJSONParsing && !responseType || JSONRequested)) { const silentJSONParsing = transitional && transitional.silentJSONParsing; const strictJSONParsing = !silentJSONParsing && JSONRequested; try { - return JSON.parse(data, this.parseReviver); + return JSON.parse(data, own(this, 'parseReviver')); } catch (e) { if (strictJSONParsing) { if (e.name === 'SyntaxError') { - throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, this.response); + throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, own(this, 'response')); } throw e; } @@ -196265,311 +197202,10 @@ const defaults = { } } }; -utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch'], method => { +utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query'], method => { defaults.headers[method] = {}; }); -// RawAxiosHeaders whose duplicates are ignored by node -// c.f. https://nodejs.org/api/http.html#http_message_headers -const ignoreDuplicateOf = utils$1.toObjectSet(['age', 'authorization', 'content-length', 'content-type', 'etag', 'expires', 'from', 'host', 'if-modified-since', 'if-unmodified-since', 'last-modified', 'location', 'max-forwards', 'proxy-authorization', 'referer', 'retry-after', 'user-agent']); - -/** - * Parse headers into an object - * - * ``` - * Date: Wed, 27 Aug 2014 08:58:49 GMT - * Content-Type: application/json - * Connection: keep-alive - * Transfer-Encoding: chunked - * ``` - * - * @param {String} rawHeaders Headers needing to be parsed - * - * @returns {Object} Headers parsed into an object - */ -var parseHeaders = rawHeaders => { - const parsed = {}; - let key; - let val; - let i; - rawHeaders && rawHeaders.split('\n').forEach(function parser(line) { - i = line.indexOf(':'); - key = line.substring(0, i).trim().toLowerCase(); - val = line.substring(i + 1).trim(); - if (!key || parsed[key] && ignoreDuplicateOf[key]) { - return; - } - if (key === 'set-cookie') { - if (parsed[key]) { - parsed[key].push(val); - } else { - parsed[key] = [val]; - } - } else { - parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; - } - }); - return parsed; -}; - -const $internals = Symbol('internals'); -const isValidHeaderValue = value => !/[\r\n]/.test(value); -function assertValidHeaderValue(value, header) { - if (value === false || value == null) { - return; - } - if (utils$1.isArray(value)) { - value.forEach(v => assertValidHeaderValue(v, header)); - return; - } - if (!isValidHeaderValue(String(value))) { - throw new Error(`Invalid character in header content ["${header}"]`); - } -} -function normalizeHeader(header) { - return header && String(header).trim().toLowerCase(); -} -function stripTrailingCRLF(str) { - let end = str.length; - while (end > 0) { - const charCode = str.charCodeAt(end - 1); - if (charCode !== 10 && charCode !== 13) { - break; - } - end -= 1; - } - return end === str.length ? str : str.slice(0, end); -} -function normalizeValue(value) { - if (value === false || value == null) { - return value; - } - return utils$1.isArray(value) ? value.map(normalizeValue) : stripTrailingCRLF(String(value)); -} -function parseTokens(str) { - const tokens = Object.create(null); - const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; - let match; - while (match = tokensRE.exec(str)) { - tokens[match[1]] = match[2]; - } - return tokens; -} -const isValidHeaderName = str => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); -function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { - if (utils$1.isFunction(filter)) { - return filter.call(this, value, header); - } - if (isHeaderNameFilter) { - value = header; - } - if (!utils$1.isString(value)) return; - if (utils$1.isString(filter)) { - return value.indexOf(filter) !== -1; - } - if (utils$1.isRegExp(filter)) { - return filter.test(value); - } -} -function formatHeader(header) { - return header.trim().toLowerCase().replace(/([a-z\d])(\w*)/g, (w, char, str) => { - return char.toUpperCase() + str; - }); -} -function buildAccessors(obj, header) { - const accessorName = utils$1.toCamelCase(' ' + header); - ['get', 'set', 'has'].forEach(methodName => { - Object.defineProperty(obj, methodName + accessorName, { - value: function (arg1, arg2, arg3) { - return this[methodName].call(this, header, arg1, arg2, arg3); - }, - configurable: true - }); - }); -} -class AxiosHeaders { - constructor(headers) { - headers && this.set(headers); - } - set(header, valueOrRewrite, rewrite) { - const self = this; - function setHeader(_value, _header, _rewrite) { - const lHeader = normalizeHeader(_header); - if (!lHeader) { - throw new Error('header name must be a non-empty string'); - } - const key = utils$1.findKey(self, lHeader); - if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) { - assertValidHeaderValue(_value, _header); - self[key || _header] = normalizeValue(_value); - } - } - const setHeaders = (headers, _rewrite) => utils$1.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); - if (utils$1.isPlainObject(header) || header instanceof this.constructor) { - setHeaders(header, valueOrRewrite); - } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { - setHeaders(parseHeaders(header), valueOrRewrite); - } else if (utils$1.isObject(header) && utils$1.isIterable(header)) { - let obj = {}, - dest, - key; - for (const entry of header) { - if (!utils$1.isArray(entry)) { - throw TypeError('Object iterator must return a key-value pair'); - } - obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1]; - } - setHeaders(obj, valueOrRewrite); - } else { - header != null && setHeader(valueOrRewrite, header, rewrite); - } - return this; - } - get(header, parser) { - header = normalizeHeader(header); - if (header) { - const key = utils$1.findKey(this, header); - if (key) { - const value = this[key]; - if (!parser) { - return value; - } - if (parser === true) { - return parseTokens(value); - } - if (utils$1.isFunction(parser)) { - return parser.call(this, value, key); - } - if (utils$1.isRegExp(parser)) { - return parser.exec(value); - } - throw new TypeError('parser must be boolean|regexp|function'); - } - } - } - has(header, matcher) { - header = normalizeHeader(header); - if (header) { - const key = utils$1.findKey(this, header); - return !!(key && this[key] !== undefined && (!matcher || matchHeaderValue(this, this[key], key, matcher))); - } - return false; - } - delete(header, matcher) { - const self = this; - let deleted = false; - function deleteHeader(_header) { - _header = normalizeHeader(_header); - if (_header) { - const key = utils$1.findKey(self, _header); - if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { - delete self[key]; - deleted = true; - } - } - } - if (utils$1.isArray(header)) { - header.forEach(deleteHeader); - } else { - deleteHeader(header); - } - return deleted; - } - clear(matcher) { - const keys = Object.keys(this); - let i = keys.length; - let deleted = false; - while (i--) { - const key = keys[i]; - if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { - delete this[key]; - deleted = true; - } - } - return deleted; - } - normalize(format) { - const self = this; - const headers = {}; - utils$1.forEach(this, (value, header) => { - const key = utils$1.findKey(headers, header); - if (key) { - self[key] = normalizeValue(value); - delete self[header]; - return; - } - const normalized = format ? formatHeader(header) : String(header).trim(); - if (normalized !== header) { - delete self[header]; - } - self[normalized] = normalizeValue(value); - headers[normalized] = true; - }); - return this; - } - concat(...targets) { - return this.constructor.concat(this, ...targets); - } - toJSON(asStrings) { - const obj = Object.create(null); - utils$1.forEach(this, (value, header) => { - value != null && value !== false && (obj[header] = asStrings && utils$1.isArray(value) ? value.join(', ') : value); - }); - return obj; - } - [Symbol.iterator]() { - return Object.entries(this.toJSON())[Symbol.iterator](); - } - toString() { - return Object.entries(this.toJSON()).map(([header, value]) => header + ': ' + value).join('\n'); - } - getSetCookie() { - return this.get('set-cookie') || []; - } - get [Symbol.toStringTag]() { - return 'AxiosHeaders'; - } - static from(thing) { - return thing instanceof this ? thing : new this(thing); - } - static concat(first, ...targets) { - const computed = new this(first); - targets.forEach(target => computed.set(target)); - return computed; - } - static accessor(header) { - const internals = this[$internals] = this[$internals] = { - accessors: {} - }; - const accessors = internals.accessors; - const prototype = this.prototype; - function defineAccessor(_header) { - const lHeader = normalizeHeader(_header); - if (!accessors[lHeader]) { - buildAccessors(prototype, _header); - accessors[lHeader] = true; - } - } - utils$1.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); - return this; - } -} -AxiosHeaders.accessor(['Content-Type', 'Content-Length', 'Accept', 'Accept-Encoding', 'User-Agent', 'Authorization']); - -// reserved names hotfix -utils$1.reduceDescriptors(AxiosHeaders.prototype, ({ - value -}, key) => { - let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` - return { - get: () => value, - set(headerValue) { - this[mapped] = headerValue; - } - }; -}); -utils$1.freezeMethods(AxiosHeaders); - /** * Transform the data for a request or a response * @@ -196625,7 +197261,7 @@ function settle(resolve, reject, response) { if (!response.status || !validateStatus || validateStatus(response.status)) { resolve(response); } else { - reject(new AxiosError('Request failed with status code ' + response.status, [AxiosError.ERR_BAD_REQUEST, AxiosError.ERR_BAD_RESPONSE][Math.floor(response.status / 100) - 4], response.config, response.request, response)); + reject(new AxiosError('Request failed with status code ' + response.status, response.status >= 400 && response.status < 500 ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE, response.config, response.request, response)); } } @@ -196670,7 +197306,7 @@ function combineURLs(baseURL, relativeURL) { */ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) { let isRelativeUrl = !isAbsoluteURL(requestedURL); - if (baseURL && (isRelativeUrl || allowAbsoluteUrls == false)) { + if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) { return combineURLs(baseURL, requestedURL); } return requestedURL; @@ -196772,14 +197408,16 @@ function getEnv(key) { return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || ''; } -const VERSION = "1.15.0"; +const VERSION = "1.16.1"; function parseProtocol(url) { - const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url); + const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url); return match && match[1] || ''; } -const DATA_URL_PATTERN = /^(?:([^;]+);)?(?:[^;]+;)?(base64|),([\s\S]*)$/; +// RFC 2397: data:[][;base64], +// mediatype = type/subtype followed by optional ;name=value parameters +const DATA_URL_PATTERN = /^([^,;]+\/[^,;]+)?((?:;[^,;=]+=[^,;]+)*)(;base64)?,([\s\S]*)$/; /** * Parse data uri to a Buffer or Blob @@ -196803,10 +197441,20 @@ function fromDataURI(uri, asBlob, options) { if (!match) { throw new AxiosError('Invalid URL', AxiosError.ERR_INVALID_URL); } - const mime = match[1]; - const isBase64 = match[2]; - const body = match[3]; - const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8'); + const type = match[1]; + const params = match[2]; + const encoding = match[3] ? 'base64' : 'utf8'; + const body = match[4]; + + // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII + // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec. + let mime; + if (type) { + mime = params ? type + params : type; + } else if (params) { + mime = 'text/plain' + params; + } + const buffer = Buffer.from(decodeURIComponent(body), encoding); if (asBlob) { if (!_Blob) { throw new AxiosError('Blob is not supported', AxiosError.ERR_NOT_SUPPORT); @@ -196963,7 +197611,8 @@ class FormDataPart { if (isStringValue) { value = textEncoder.encode(String(value).replace(/\r?\n|\r\n?/g, CRLF)); } else { - headers += `Content-Type: ${value.type || 'application/octet-stream'}${CRLF}`; + const safeType = String(value.type || 'application/octet-stream').replace(/[\r\n]/g, ''); + headers += `Content-Type: ${safeType}${CRLF}`; } this.headers = textEncoder.encode(headers + CRLF); this.contentLength = isStringValue ? value.byteLength : value.size; @@ -197001,7 +197650,7 @@ const formDataToStream = (form, headersHandler, options) => { throw TypeError('FormData instance required'); } if (boundary.length < 1 || boundary.length > 70) { - throw Error('boundary must be 10-70 characters long'); + throw Error('boundary must be 1-70 characters long'); } const boundaryBytes = textEncoder.encode('--' + boundary + CRLF); const footerBytes = textEncoder.encode('--' + boundary + '--' + CRLF); @@ -197064,6 +197713,47 @@ const callbackify = (fn, reducer) => { } : fn; }; +const LOOPBACK_HOSTNAMES = new Set(['localhost']); +const isIPv4Loopback = host => { + const parts = host.split('.'); + if (parts.length !== 4) return false; + if (parts[0] !== '127') return false; + return parts.every(p => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255); +}; +const isIPv6Loopback = host => { + // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1 + // First, strip any leading "::" by normalising with Set lookup of common forms, + // then fall back to structural check. + if (host === '::1') return true; + + // Check IPv4-mapped IPv6 loopback: ::ffff: or ::ffff: + // Node's URL parser normalises ::ffff:127.0.0.1 → ::ffff:7f00:1 + const v4MappedDotted = host.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i); + if (v4MappedDotted) return isIPv4Loopback(v4MappedDotted[1]); + const v4MappedHex = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i); + if (v4MappedHex) { + const high = parseInt(v4MappedHex[1], 16); + // High 16 bits must start with 127 (0x7f) — i.e. 0x7f00..0x7fff + return high >= 0x7f00 && high <= 0x7fff; + } + + // Full-form ::1 variants: any number of zero groups followed by trailing 1 + // e.g. 0:0:0:0:0:0:0:1, 0000:...:0001 + const groups = host.split(':'); + if (groups.length === 8) { + for (let i = 0; i < 7; i++) { + if (!/^0+$/.test(groups[i])) return false; + } + return /^0*1$/.test(groups[7]); + } + return false; +}; +const isLoopback = host => { + if (!host) return false; + if (LOOPBACK_HOSTNAMES.has(host)) return true; + if (isIPv4Loopback(host)) return true; + return isIPv6Loopback(host); +}; const DEFAULT_PORTS = { http: 80, https: 443, @@ -197093,6 +197783,27 @@ const parseNoProxyEntry = entry => { } return [entryHost, entryPort]; }; + +// Convert IPv4-mapped IPv6 (::ffff:0:0/96 prefix) to IPv4 dotted form so both +// sides of a NO_PROXY comparison see the same canonical address. Without this, +// `NO_PROXY=192.168.1.5` would not match a request to `http://[::ffff:192.168.1.5]/` +// (Node's URL parser normalises that to `[::ffff:c0a8:105]`), and vice-versa, +// allowing the proxy-bypass policy to be circumvented by using the alternate +// representation. Returns the input unchanged when not IPv4-mapped. +const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i; +const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i; +const unmapIPv4MappedIPv6 = host => { + if (typeof host !== 'string' || host.indexOf(':') === -1) return host; + const dotted = host.match(IPV4_MAPPED_DOTTED_RE); + if (dotted) return dotted[1]; + const hex = host.match(IPV4_MAPPED_HEX_RE); + if (hex) { + const high = parseInt(hex[1], 16); + const low = parseInt(hex[2], 16); + return `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`; + } + return host; +}; const normalizeNoProxyHost = hostname => { if (!hostname) { return hostname; @@ -197100,7 +197811,7 @@ const normalizeNoProxyHost = hostname => { if (hostname.charAt(0) === '[' && hostname.charAt(hostname.length - 1) === ']') { hostname = hostname.slice(1, -1); } - return hostname.replace(/\.+$/, ''); + return unmapIPv4MappedIPv6(hostname.replace(/\.+$/, '')); }; function shouldBypassProxy(location) { let parsed; @@ -197136,7 +197847,7 @@ function shouldBypassProxy(location) { if (entryHost.charAt(0) === '.') { return hostname.endsWith(entryHost); } - return hostname === entryHost; + return hostname === entryHost || isLoopback(hostname) && isLoopback(entryHost); }); } @@ -197223,19 +197934,22 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => { let bytesNotified = 0; const _speedometer = speedometer(50, 250); return throttle(e => { - const loaded = e.loaded; + if (!e || typeof e.loaded !== 'number') { + return; + } + const rawLoaded = e.loaded; const total = e.lengthComputable ? e.total : undefined; - const progressBytes = loaded - bytesNotified; + const loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded; + const progressBytes = Math.max(0, loaded - bytesNotified); const rate = _speedometer(progressBytes); - const inRange = loaded <= total; - bytesNotified = loaded; + bytesNotified = Math.max(bytesNotified, loaded); const data = { loaded, total, progress: total ? loaded / total : undefined, bytes: progressBytes, rate: rate ? rate : undefined, - estimated: rate && total && inRange ? (total - loaded) / rate : undefined, + estimated: rate && total ? (total - loaded) / rate : undefined, event: e, lengthComputable: total != null, [isDownloadStream ? 'download' : 'upload']: true @@ -197313,7 +198027,34 @@ function estimateDataURLDecodedBytes(url) { const bytes = groups * 3 - (pad || 0); return bytes > 0 ? bytes : 0; } - return Buffer.byteLength(body, 'utf8'); + if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') { + return Buffer.byteLength(body, 'utf8'); + } + + // Compute UTF-8 byte length directly from UTF-16 code units without allocating + // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies). + // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit + // but 3 UTF-8 bytes). + let bytes = 0; + for (let i = 0, len = body.length; i < len; i++) { + const c = body.charCodeAt(i); + if (c < 0x80) { + bytes += 1; + } else if (c < 0x800) { + bytes += 2; + } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < len) { + const next = body.charCodeAt(i + 1); + if (next >= 0xdc00 && next <= 0xdfff) { + bytes += 4; + i++; + } else { + bytes += 3; + } + } else { + bytes += 3; + } + } + return bytes; } const zlibOptions = { @@ -197330,9 +198071,70 @@ const { https: httpsFollow } = followRedirects; const isHttps = /https:?/; +const FORM_DATA_CONTENT_HEADERS$1 = ['content-type', 'content-length']; +function setFormDataHeaders$1(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS$1.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +// Symbols used to bind a single 'error' listener to a pooled socket and track +// the request currently owning that socket across keep-alive reuse (issue #10780). +const kAxiosSocketListener = Symbol('axios.http.socketListener'); +const kAxiosCurrentReq = Symbol('axios.http.currentReq'); + +// Tags HttpsProxyAgent instances installed by setProxy() so the redirect path +// can strip them without clobbering a user-supplied agent that happens to be +// an HttpsProxyAgent. +const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel'); + +// Cache of CONNECT-tunneling agents keyed by proxy config so repeat requests +// through the same proxy reuse a single agent (and its socket pool). The +// keyspace is bounded by the set of distinct proxy configs the process uses, +// so unbounded growth is not a concern in practice. +const tunnelingAgentCache = new Map(); +const tunnelingAgentCacheUser = new WeakMap(); +function getTunnelingAgent(agentOptions, userHttpsAgent) { + const key = agentOptions.protocol + '//' + agentOptions.hostname + ':' + (agentOptions.port || '') + '#' + (agentOptions.auth || ''); + const cache = userHttpsAgent ? tunnelingAgentCacheUser.get(userHttpsAgent) || tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent) : tunnelingAgentCache; + let agent = cache.get(key); + if (agent) return agent; + // Forward the user's TLS options (custom CA, rejectUnauthorized, client cert, + // etc.) into the tunneling agent so they apply to the origin TLS upgrade + // performed after CONNECT. Our proxy fields take precedence on conflict. + const merged = userHttpsAgent && userHttpsAgent.options ? { + ...userHttpsAgent.options, + ...agentOptions + } : agentOptions; + agent = new HttpsProxyAgent(merged); + agent[kAxiosInstalledTunnel] = true; + cache.set(key, agent); + return agent; +} const supportedProtocols = platform.protocols.map(protocol => { return protocol + ':'; }); + +// Node's WHATWG URL parser returns `username` and `password` percent-encoded. +// Decode before composing the `auth` option so credentials such as +// `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the +// original value for malformed input so a bad encoding never throws. +const decodeURIComponentSafe = value => { + if (!utils$1.isString(value)) { + return value; + } + try { + return decodeURIComponent(value); + } catch (error) { + return value; + } +}; const flushOnFinish = (stream, [throttled, flush]) => { stream.on('end', flush).on('error', flush); return throttled; @@ -197420,12 +198222,12 @@ const http2Sessions = new Http2Sessions(); * * @returns {Object} */ -function dispatchBeforeRedirect(options, responseDetails) { +function dispatchBeforeRedirect(options, responseDetails, requestDetails) { if (options.beforeRedirects.proxy) { options.beforeRedirects.proxy(options); } if (options.beforeRedirects.config) { - options.beforeRedirects.config(options, responseDetails); + options.beforeRedirects.config(options, responseDetails, requestDetails); } } @@ -197438,7 +198240,7 @@ function dispatchBeforeRedirect(options, responseDetails) { * * @returns {http.ClientRequestArgs} */ -function setProxy(options, configProxy, location) { +function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) { let proxy = configProxy; if (!proxy && proxy !== false) { const proxyUrl = getProxyForUrl(location); @@ -197448,39 +198250,134 @@ function setProxy(options, configProxy, location) { } } } + // On redirect re-invocation, strip any stale Proxy-Authorization header carried + // over from the prior request (e.g. new target no longer uses a proxy, or uses + // a different proxy). Skip on the initial request so user-supplied headers are + // preserved. Header names are case-insensitive, so remove every case variant. + if (isRedirect && options.headers) { + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'proxy-authorization') { + delete options.headers[name]; + } + } + } + // Strip any tunneling agent we installed for the previous hop so a redirect + // that drops the proxy or crosses an HTTPS↔HTTP boundary doesn't reuse a + // stale one. Match on our Symbol marker so a user-supplied HttpsProxyAgent + // (which won't carry the marker) is left alone. + if (isRedirect && options.agent && options.agent[kAxiosInstalledTunnel]) { + options.agent = undefined; + } if (proxy) { + // Read proxy fields without traversing the prototype chain. URL instances expose + // username/password/hostname/host/port/protocol via getters on URL.prototype (so + // direct reads are shielded), but plain object proxies — and the `auth` field + // (which URL does not expose) — must be guarded so a polluted Object.prototype + // (e.g. Object.prototype.auth = { username, password }) cannot inject + // attacker-controlled credentials into the Proxy-Authorization header or + // redirect proxying to an attacker-controlled host. + const isProxyURL = proxy instanceof URL; + const readProxyField = key => isProxyURL || utils$1.hasOwnProp(proxy, key) ? proxy[key] : undefined; + const proxyUsername = readProxyField('username'); + const proxyPassword = readProxyField('password'); + let proxyAuth = utils$1.hasOwnProp(proxy, 'auth') ? proxy.auth : undefined; + // Basic proxy authorization - if (proxy.username) { - proxy.auth = (proxy.username || '') + ':' + (proxy.password || ''); - } - if (proxy.auth) { - // Support proxy auth object form - const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password); + if (proxyUsername) { + proxyAuth = (proxyUsername || '') + ':' + (proxyPassword || ''); + } + if (proxyAuth) { + // Support proxy auth object form. Read sub-fields via own-prop checks so a + // plain object inheriting from polluted Object.prototype cannot leak creds. + const authIsObject = typeof proxyAuth === 'object'; + const authUsername = authIsObject && utils$1.hasOwnProp(proxyAuth, 'username') ? proxyAuth.username : undefined; + const authPassword = authIsObject && utils$1.hasOwnProp(proxyAuth, 'password') ? proxyAuth.password : undefined; + const validProxyAuth = Boolean(authUsername || authPassword); if (validProxyAuth) { - proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || ''); - } else if (typeof proxy.auth === 'object') { + proxyAuth = (authUsername || '') + ':' + (authPassword || ''); + } else if (authIsObject) { throw new AxiosError('Invalid proxy authorization', AxiosError.ERR_BAD_OPTION, { proxy }); } - const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64'); - options.headers['Proxy-Authorization'] = 'Basic ' + base64; } - options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); - const proxyHost = proxy.hostname || proxy.host; - options.hostname = proxyHost; - // Replace 'host' since options is not a URL object - options.host = proxyHost; - options.port = proxy.port; - options.path = location; - if (proxy.protocol) { - options.protocol = proxy.protocol.includes(':') ? proxy.protocol : `${proxy.protocol}:`; + const targetIsHttps = isHttps.test(options.protocol); + if (targetIsHttps) { + // CONNECT-tunneling path for HTTPS targets. Preserves end-to-end TLS to + // the origin so the proxy cannot inspect the URL, headers, or body — the + // behavior already promised by THREATMODEL.md (T-R9). HttpsProxyAgent + // sends Proxy-Authorization on the CONNECT request only, never on the + // wrapped TLS request, which is why we don't stamp it onto + // options.headers here. If the user already supplied an HttpsProxyAgent, + // they own tunneling end-to-end and we leave them alone; otherwise we + // install our own tunneling agent and forward their TLS options (if any) + // so a custom httpsAgent for cert pinning / rejectUnauthorized still + // applies to the origin TLS upgrade. + if (!(configHttpsAgent instanceof HttpsProxyAgent)) { + const proxyHost = readProxyField('hostname') || readProxyField('host'); + const proxyPort = readProxyField('port'); + const rawProxyProtocol = readProxyField('protocol'); + const normalizedProtocol = rawProxyProtocol ? rawProxyProtocol.includes(':') ? rawProxyProtocol : `${rawProxyProtocol}:` : 'http:'; + // Bracket IPv6 literals for URL parsing; URL.hostname strips the + // brackets again on read so the agent receives the raw form. + const proxyHostForURL = proxyHost && proxyHost.includes(':') && !proxyHost.startsWith('[') ? `[${proxyHost}]` : proxyHost; + const proxyURL = new URL(`${normalizedProtocol}//${proxyHostForURL}${proxyPort ? ':' + proxyPort : ''}`); + const agentOptions = { + protocol: proxyURL.protocol, + hostname: proxyURL.hostname.replace(/^\[|\]$/g, ''), + port: proxyURL.port, + auth: proxyAuth && typeof proxyAuth === 'string' ? proxyAuth : undefined + }; + if (proxyURL.protocol === 'https:') { + agentOptions.ALPNProtocols = ['http/1.1']; + } + const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent); + // Set both: `options.agent` is consumed by the native https.request path + // (config.maxRedirects === 0); `options.agents.https` is consumed by + // follow-redirects, which ignores `options.agent` when `options.agents` + // is present. + options.agent = tunnelingAgent; + if (options.agents) { + options.agents.https = tunnelingAgent; + } + } + } else { + // Forward-proxy mode for plaintext HTTP targets. The request line carries + // the absolute URL and the proxy sees everything — acceptable for plain + // HTTP since the wire was already plaintext. + if (proxyAuth) { + const base64 = Buffer.from(proxyAuth, 'utf8').toString('base64'); + options.headers['Proxy-Authorization'] = 'Basic ' + base64; + } + + // Preserve a user-supplied Host header (case-insensitive) so callers can override + // the value forwarded to the proxy; otherwise default to the request URL's host. + let hasUserHostHeader = false; + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'host') { + hasUserHostHeader = true; + break; + } + } + if (!hasUserHostHeader) { + options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); + } + const proxyHost = readProxyField('hostname') || readProxyField('host'); + options.hostname = proxyHost; + // Replace 'host' since options is not a URL object + options.host = proxyHost; + options.port = readProxyField('port'); + options.path = location; + const proxyProtocol = readProxyField('protocol'); + if (proxyProtocol) { + options.protocol = proxyProtocol.includes(':') ? proxyProtocol : `${proxyProtocol}:`; + } } } options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) { // Configure proxy for redirected request, passing the original config proxy to apply // the exact same logic as if the redirected request was performed by axios directly. - setProxy(redirectOptions, configProxy, redirectOptions.href); + setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent); }; } const isHttpAdapterSupported = typeof process !== 'undefined' && utils$1.kindOf(process) === 'process'; @@ -197563,21 +198460,20 @@ const http2Transport = { /*eslint consistent-return:0*/ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) { - let { - data, - lookup, - family, - httpVersion = 1, - http2Options - } = config; - const { - responseType, - responseEncoding - } = config; + const own = key => utils$1.hasOwnProp(config, key) ? config[key] : undefined; + let data = own('data'); + let lookup = own('lookup'); + let family = own('family'); + let httpVersion = own('httpVersion'); + if (httpVersion === undefined) httpVersion = 1; + let http2Options = own('http2Options'); + const responseType = own('responseType'); + const responseEncoding = own('responseEncoding'); const method = config.method.toUpperCase(); let isDone; let rejected = false; let req; + let connectPhaseTimer; httpVersion = +httpVersion; if (Number.isNaN(httpVersion)) { throw TypeError(`Invalid protocol version: '${config.httpVersion}' is not a number`); @@ -197607,8 +198503,23 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { console.warn('emit error', err); } } + function clearConnectPhaseTimer() { + if (connectPhaseTimer) { + clearTimeout(connectPhaseTimer); + connectPhaseTimer = null; + } + } + function createTimeoutError() { + let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded'; + const transitional = config.transitional || transitionalDefaults; + if (config.timeoutErrorMessage) { + timeoutErrorMessage = config.timeoutErrorMessage; + } + return new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req); + } abortEmitter.once('abort', reject); const onFinished = () => { + clearConnectPhaseTimer(); if (config.cancelToken) { config.cancelToken.unsubscribe(abort); } @@ -197625,6 +198536,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { } onDone((response, isRejected) => { isDone = true; + clearConnectPhaseTimer(); if (isRejected) { rejected = true; onFinished(); @@ -197717,8 +198629,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { boundary: userBoundary && userBoundary[1] || undefined }); // support for https://www.npmjs.com/package/form-data api - } else if (utils$1.isFormData(data) && utils$1.isFunction(data.getHeaders)) { - headers.set(data.getHeaders()); + } else if (utils$1.isFormData(data) && utils$1.isFunction(data.getHeaders) && data.getHeaders !== Object.prototype.getHeaders) { + setFormDataHeaders$1(headers, data.getHeaders(), own('formDataHeaderPolicy')); if (!headers.hasContentLength()) { try { const knownLength = await util.promisify(data.getLength).call(data); @@ -197766,20 +198678,21 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { // HTTP basic authentication let auth = undefined; - if (config.auth) { - const username = config.auth.username || ''; - const password = config.auth.password || ''; + const configAuth = own('auth'); + if (configAuth) { + const username = configAuth.username || ''; + const password = configAuth.password || ''; auth = username + ':' + password; } if (!auth && parsed.username) { - const urlUsername = parsed.username; - const urlPassword = parsed.password; + const urlUsername = decodeURIComponentSafe(parsed.username); + const urlPassword = decodeURIComponentSafe(parsed.password); auth = urlUsername + ':' + urlPassword; } auth && headers.delete('authorization'); - let path; + let path$1; try { - path = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, ''); + path$1 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, ''); } catch (err) { const customErr = new Error(err.message); customErr.config = config; @@ -197788,10 +198701,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { return reject(customErr); } headers.set('Accept-Encoding', 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''), false); - const options = { - path, + + // Null-prototype to block prototype pollution gadgets on properties read + // directly by Node's http.request (e.g. insecureHTTPParser, lookup). + const options = Object.assign(Object.create(null), { + path: path$1, method: method, - headers: headers.toJSON(), + headers: toByteStringHeaderObject(headers), agents: { http: config.httpAgent, https: config.httpsAgent @@ -197800,35 +198716,54 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { protocol, family, beforeRedirect: dispatchBeforeRedirect, - beforeRedirects: {}, + beforeRedirects: Object.create(null), http2Options - }; + }); // cacheable-lookup integration hotfix !utils$1.isUndefined(lookup) && (options.lookup = lookup); if (config.socketPath) { + if (typeof config.socketPath !== 'string') { + return reject(new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config)); + } + if (config.allowedSocketPaths != null) { + const allowed = Array.isArray(config.allowedSocketPaths) ? config.allowedSocketPaths : [config.allowedSocketPaths]; + const resolvedSocket = path.resolve(config.socketPath); + const isAllowed = allowed.some(entry => typeof entry === 'string' && path.resolve(entry) === resolvedSocket); + if (!isAllowed) { + return reject(new AxiosError(`socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`, AxiosError.ERR_BAD_OPTION_VALUE, config)); + } + } options.socketPath = config.socketPath; } else { options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname; options.port = parsed.port; - setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path); + setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, config.httpsAgent); } let transport; + let isNativeTransport = false; const isHttpsRequest = isHttps.test(options.protocol); - options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an + // HTTPS target. + if (options.agent == null) { + options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + } if (isHttp2) { transport = http2Transport; } else { - if (config.transport) { - transport = config.transport; + const configTransport = own('transport'); + if (configTransport) { + transport = configTransport; } else if (config.maxRedirects === 0) { transport = isHttpsRequest ? https : http; + isNativeTransport = true; } else { if (config.maxRedirects) { options.maxRedirects = config.maxRedirects; } - if (config.beforeRedirect) { - options.beforeRedirects.config = config.beforeRedirect; + const configBeforeRedirect = own('beforeRedirect'); + if (configBeforeRedirect) { + options.beforeRedirects.config = configBeforeRedirect; } transport = isHttpsRequest ? httpsFollow : httpFollow; } @@ -197839,12 +198774,15 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited options.maxBodyLength = Infinity; } - if (config.insecureHTTPParser) { - options.insecureHTTPParser = config.insecureHTTPParser; - } + + // Always set an explicit own value so a polluted + // Object.prototype.insecureHTTPParser cannot enable the lenient parser + // through Node's internal options copy + options.insecureHTTPParser = Boolean(own('insecureHTTPParser')); // Create the request req = transport.request(options, function handleResponse(res) { + clearConnectPhaseTimer(); if (req.destroyed) return; const streams = [res]; const responseLength = utils$1.toFiniteNumber(res.headers['content-length']); @@ -197906,6 +198844,25 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { request: lastRequest }; if (responseType === 'stream') { + // Enforce maxContentLength on streamed responses; previously this + // was applied only to buffered responses. + if (config.maxContentLength > -1) { + const limit = config.maxContentLength; + const source = responseStream; + async function* enforceMaxContentLength() { + let totalResponseBytes = 0; + for await (const chunk of source) { + totalResponseBytes += chunk.length; + if (totalResponseBytes > limit) { + throw new AxiosError('maxContentLength size of ' + limit + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest); + } + yield chunk; + } + } + responseStream = stream.Readable.from(enforceMaxContentLength(), { + objectMode: false + }); + } response.data = responseStream; settle(resolve, reject, response); } else { @@ -197927,13 +198884,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { if (rejected) { return; } - const err = new AxiosError('stream has been aborted', AxiosError.ERR_BAD_RESPONSE, config, lastRequest); + const err = new AxiosError('stream has been aborted', AxiosError.ERR_BAD_RESPONSE, config, lastRequest, response); responseStream.destroy(err); reject(err); }); responseStream.on('error', function handleStreamError(err) { - if (req.destroyed) return; - reject(AxiosError.from(err, null, config, lastRequest)); + if (rejected) return; + reject(AxiosError.from(err, null, config, lastRequest, response)); }); responseStream.on('end', function handleStreamEnd() { try { @@ -197972,9 +198929,44 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { }); // set tcp keep alive to prevent drop connection by peer + // Track every socket bound to this outer RedirectableRequest so a single + // 'close' listener can release ownership on all of them. follow-redirects + // re-emits the 'socket' event for each hop's native request onto the same + // outer request, so attaching per-request listeners inside this handler + // would accumulate across hops and trigger MaxListenersExceededWarning at + // >= 11 redirects. Clearing only the last-bound socket would leave stale + // kAxiosCurrentReq refs on earlier hop sockets returned to the keep-alive + // pool, causing an idle-pool 'error' to be attributed to a closed req. + const boundSockets = new Set(); req.on('socket', function handleRequestSocket(socket) { // default interval of sending ack packet is 1 minute socket.setKeepAlive(true, 1000 * 60); + + // Install a single 'error' listener per socket (not per request) to avoid + // accumulating listeners on pooled keep-alive sockets that get reassigned + // to new requests before the previous request's 'close' fires (issue #10780). + // The listener is bound to the socket's currently-active request via a + // symbol, which is swapped as the socket is reassigned. + if (!socket[kAxiosSocketListener]) { + socket.on('error', function handleSocketError(err) { + const current = socket[kAxiosCurrentReq]; + if (current && !current.destroyed) { + current.destroy(err); + } + }); + socket[kAxiosSocketListener] = true; + } + socket[kAxiosCurrentReq] = req; + boundSockets.add(socket); + }); + req.once('close', function clearCurrentReq() { + clearConnectPhaseTimer(); + for (const socket of boundSockets) { + if (socket[kAxiosCurrentReq] === req) { + socket[kAxiosCurrentReq] = null; + } + } + boundSockets.clear(); }); // Handle request timeout @@ -197985,21 +198977,23 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { abort(new AxiosError('error trying to parse `config.timeout` to int', AxiosError.ERR_BAD_OPTION_VALUE, config, req)); return; } + const handleTimeout = function handleTimeout() { + if (isDone) return; + abort(createTimeoutError()); + }; + if (isNativeTransport && timeout > 0) { + // Native ClientRequest#setTimeout starts from the socket lifecycle and + // may not fire while TCP connect is still pending. Mirror the + // follow-redirects wall-clock timer for the maxRedirects === 0 path. + connectPhaseTimer = setTimeout(handleTimeout, timeout); + } // Sometime, the response will be very slow, and does not respond, the connect event will be block by event loop system. // And timer callback will be fired, and abort() will be invoked before connection, then get "socket hang up" and code ECONNRESET. // At this time, if we have a large number of request, nodejs will hang up some socket on background. and the number will up and up. // And then these socket which be hang up will devouring CPU little by little. // ClientRequest.setTimeout will be fired on the specify milliseconds, and can make sure that abort() will be fired after connect. - req.setTimeout(timeout, function handleRequestTimeout() { - if (isDone) return; - let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded'; - const transitional = config.transitional || transitionalDefaults; - if (config.timeoutErrorMessage) { - timeoutErrorMessage = config.timeoutErrorMessage; - } - abort(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req)); - }); + req.setTimeout(timeout, handleTimeout); } else { // explicitly reset the socket timeout value for a possible `keep-alive` request req.setTimeout(0); @@ -198021,7 +199015,28 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { abort(new CanceledError('Request stream has been aborted', config, req)); } }); - data.pipe(req); + + // Enforce maxBodyLength for streamed uploads on the native http/https + // transport (maxRedirects === 0); follow-redirects enforces it on the + // other path. + let uploadStream = data; + if (config.maxBodyLength > -1 && config.maxRedirects === 0) { + const limit = config.maxBodyLength; + let bytesSent = 0; + uploadStream = stream.pipeline([data, new stream.Transform({ + transform(chunk, _enc, cb) { + bytesSent += chunk.length; + if (bytesSent > limit) { + return cb(new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, req)); + } + cb(null, chunk); + } + })], utils$1.noop); + uploadStream.on('error', err => { + if (!req.destroyed) req.destroy(err); + }); + } + uploadStream.pipe(req); } else { data && req.write(data); req.end(); @@ -198059,8 +199074,20 @@ var cookies = platform.hasStandardBrowserEnv ? }, read(name) { if (typeof document === 'undefined') return null; - const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)')); - return match ? decodeURIComponent(match[1]) : null; + // Match name=value by splitting on the semicolon separator instead of building a + // RegExp from `name` — interpolating an unescaped string into a RegExp would let + // metacharacters (e.g. `.+?` in an attacker-influenced cookie name) cause ReDoS or + // match the wrong cookie. Browsers may serialize cookie pairs as either ";" or + // "; ", so ignore optional whitespace before each cookie name. + const cookies = document.cookie.split(';'); + for (let i = 0; i < cookies.length; i++) { + const cookie = cookies[i].replace(/^\s+/, ''); + const eq = cookie.indexOf('='); + if (eq !== -1 && cookie.slice(0, eq) === name) { + return decodeURIComponent(cookie.slice(eq + 1)); + } + } + return null; }, remove(name) { this.write(name, '', Date.now() - 86400000, '/'); @@ -198091,7 +199118,21 @@ const headersToObject = thing => thing instanceof AxiosHeaders ? { function mergeConfig(config1, config2) { // eslint-disable-next-line no-param-reassign config2 = config2 || {}; - const config = {}; + + // Use a null-prototype object so that downstream reads such as `config.auth` + // or `config.baseURL` cannot inherit polluted values from Object.prototype. + // `hasOwnProperty` is restored as a non-enumerable own slot to preserve + // ergonomics for user code that relies on it. + const config = Object.create(null); + Object.defineProperty(config, 'hasOwnProperty', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: Object.prototype.hasOwnProperty, + enumerable: false, + writable: true, + configurable: true + }); function getMergedValue(target, source, prop, caseless) { if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { return utils$1.merge.call({ @@ -198130,9 +199171,9 @@ function mergeConfig(config1, config2) { // eslint-disable-next-line consistent-return function mergeDirectKeys(a, b, prop) { - if (prop in config2) { + if (utils$1.hasOwnProp(config2, prop)) { return getMergedValue(a, b); - } else if (prop in config1) { + } else if (utils$1.hasOwnProp(config1, prop)) { return getMergedValue(undefined, a); } } @@ -198163,6 +199204,7 @@ function mergeConfig(config1, config2) { httpsAgent: defaultToConfig2, cancelToken: defaultToConfig2, socketPath: defaultToConfig2, + allowedSocketPaths: defaultToConfig2, responseEncoding: defaultToConfig2, validateStatus: mergeDirectKeys, headers: (a, b, prop) => mergeDeepProperties(headersToObject(a), headersToObject(b), prop, true) @@ -198173,42 +199215,64 @@ function mergeConfig(config1, config2) { }), function computeConfigValue(prop) { if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') return; const merge = utils$1.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : mergeDeepProperties; - const configValue = merge(config1[prop], config2[prop], prop); + const a = utils$1.hasOwnProp(config1, prop) ? config1[prop] : undefined; + const b = utils$1.hasOwnProp(config2, prop) ? config2[prop] : undefined; + const configValue = merge(a, b, prop); utils$1.isUndefined(configValue) && merge !== mergeDirectKeys || (config[prop] = configValue); }); return config; } +const FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length']; +function setFormDataHeaders(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +/** + * Encode a UTF-8 string to a Latin-1 byte string for use with btoa(). + * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern. + * + * @param {string} str The string to encode + * + * @returns {string} UTF-8 bytes as a Latin-1 string + */ +const encodeUTF8 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))); var resolveConfig = config => { const newConfig = mergeConfig({}, config); - let { - data, - withXSRFToken, - xsrfHeaderName, - xsrfCookieName, - headers, - auth - } = newConfig; + + // Read only own properties to prevent prototype pollution gadgets + // (e.g. Object.prototype.baseURL = 'https://evil.com'). + const own = key => utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined; + const data = own('data'); + let withXSRFToken = own('withXSRFToken'); + const xsrfHeaderName = own('xsrfHeaderName'); + const xsrfCookieName = own('xsrfCookieName'); + let headers = own('headers'); + const auth = own('auth'); + const baseURL = own('baseURL'); + const allowAbsoluteUrls = own('allowAbsoluteUrls'); + const url = own('url'); newConfig.headers = headers = AxiosHeaders.from(headers); - newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer); + newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer); // HTTP basic authentication if (auth) { - headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? unescape(encodeURIComponent(auth.password)) : ''))); + headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))); } if (utils$1.isFormData(data)) { if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) { headers.setContentType(undefined); // browser handles it } else if (utils$1.isFunction(data.getHeaders)) { // Node.js FormData (like form-data package) - const formHeaders = data.getHeaders(); - // Only set safe headers to avoid overwriting security headers - const allowedHeaders = ['content-type', 'content-length']; - Object.entries(formHeaders).forEach(([key, val]) => { - if (allowedHeaders.includes(key.toLowerCase())) { - headers.set(key, val); - } - }); + setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy')); } } @@ -198217,9 +199281,15 @@ var resolveConfig = config => { // Specifically not if we're in a web worker, or react-native. if (platform.hasStandardBrowserEnv) { - withXSRFToken && utils$1.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig)); - if (withXSRFToken || withXSRFToken !== false && isURLSameOrigin(newConfig.url)) { - // Add xsrf header + if (utils$1.isFunction(withXSRFToken)) { + withXSRFToken = withXSRFToken(newConfig); + } + + // Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1) + // and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking + // the XSRF token cross-origin. + const shouldSendXSRF = withXSRFToken === true || withXSRFToken == null && isURLSameOrigin(newConfig.url); + if (shouldSendXSRF) { const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName); if (xsrfValue) { headers.set(xsrfHeaderName, xsrfValue); @@ -198295,7 +199365,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // handled by onerror instead // With one exception: request that using file: protocol, most browsers // will return status as 0 even though it's a successful request - if (request.status === 0 && !(request.responseURL && request.responseURL.indexOf('file:') === 0)) { + if (request.status === 0 && !(request.responseURL && request.responseURL.startsWith('file:'))) { return; } // readystate handler is calling before onerror or ontimeout handlers, @@ -198310,6 +199380,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { return; } reject(new AxiosError('Request aborted', AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -198325,6 +199396,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // attach the underlying event for consumers who want details err.event = event || null; reject(err); + done(); request = null; }; @@ -198336,6 +199408,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { timeoutErrorMessage = _config.timeoutErrorMessage; } reject(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -198346,7 +199419,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // Add headers to the request if ('setRequestHeader' in request) { - utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) { + utils$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) { request.setRequestHeader(key, val); }); } @@ -198382,6 +199455,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { } reject(!cancel || cancel.type ? new CanceledError(null, config, request) : cancel); request.abort(); + done(); request = null; }; _config.cancelToken && _config.cancelToken.subscribe(onCanceled); @@ -198390,7 +199464,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { } } const protocol = parseProtocol(_config.url); - if (protocol && platform.protocols.indexOf(protocol) === -1) { + if (protocol && !platform.protocols.includes(protocol)) { reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config)); return; } @@ -198401,41 +199475,41 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { }; const composeSignals = (signals, timeout) => { - const { - length - } = signals = signals ? signals.filter(Boolean) : []; - if (timeout || length) { - let controller = new AbortController(); - let aborted; - const onabort = function (reason) { - if (!aborted) { - aborted = true; - unsubscribe(); - const err = reason instanceof Error ? reason : this.reason; - controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err)); - } - }; - let timer = timeout && setTimeout(() => { - timer = null; - onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT)); - }, timeout); - const unsubscribe = () => { - if (signals) { - timer && clearTimeout(timer); - timer = null; - signals.forEach(signal => { - signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort); - }); - signals = null; - } - }; - signals.forEach(signal => signal.addEventListener('abort', onabort)); - const { - signal - } = controller; - signal.unsubscribe = () => utils$1.asap(unsubscribe); - return signal; + signals = signals ? signals.filter(Boolean) : []; + if (!timeout && !signals.length) { + return; } + const controller = new AbortController(); + let aborted = false; + const onabort = function (reason) { + if (!aborted) { + aborted = true; + unsubscribe(); + const err = reason instanceof Error ? reason : this.reason; + controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err)); + } + }; + let timer = timeout && setTimeout(() => { + timer = null; + onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT)); + }, timeout); + const unsubscribe = () => { + if (!signals) { + return; + } + timer && clearTimeout(timer); + timer = null; + signals.forEach(signal => { + signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort); + }); + signals = null; + }; + signals.forEach(signal => signal.addEventListener('abort', onabort)); + const { + signal + } = controller; + signal.unsubscribe = () => utils$1.asap(unsubscribe); + return signal; }; const streamChunk = function* (chunk, chunkSize) { @@ -198524,17 +199598,6 @@ const DEFAULT_CHUNK_SIZE = 64 * 1024; const { isFunction } = utils$1; -const globalFetchAPI = (({ - Request, - Response -}) => ({ - Request, - Response -}))(utils$1.global); -const { - ReadableStream: ReadableStream$1, - TextEncoder: TextEncoder$1 -} = utils$1.global; const test = (fn, ...args) => { try { return !!fn(...args); @@ -198543,9 +199606,17 @@ const test = (fn, ...args) => { } }; const factory = env => { + const globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis; + const { + ReadableStream, + TextEncoder + } = globalObject; env = utils$1.merge.call({ skipUndefined: true - }, globalFetchAPI, env); + }, { + Request: globalObject.Request, + Response: globalObject.Response + }, env); const { fetch: envFetch, Request, @@ -198557,20 +199628,22 @@ const factory = env => { if (!isFetchSupported) { return false; } - const isReadableStreamSupported = isFetchSupported && isFunction(ReadableStream$1); - const encodeText = isFetchSupported && (typeof TextEncoder$1 === 'function' ? (encoder => str => encoder.encode(str))(new TextEncoder$1()) : async str => new Uint8Array(await new Request(str).arrayBuffer())); + const isReadableStreamSupported = isFetchSupported && isFunction(ReadableStream); + const encodeText = isFetchSupported && (typeof TextEncoder === 'function' ? (encoder => str => encoder.encode(str))(new TextEncoder()) : async str => new Uint8Array(await new Request(str).arrayBuffer())); const supportsRequestStream = isRequestSupported && isReadableStreamSupported && test(() => { let duplexAccessed = false; - const body = new ReadableStream$1(); - const hasContentType = new Request(platform.origin, { - body, + const request = new Request(platform.origin, { + body: new ReadableStream(), method: 'POST', get duplex() { duplexAccessed = true; return 'half'; } - }).headers.has('Content-Type'); - body.cancel(); + }); + const hasContentType = request.headers.has('Content-Type'); + if (request.body != null) { + request.body.cancel(); + } return duplexAccessed && !hasContentType; }); const supportsResponseStream = isResponseSupported && isReadableStreamSupported && test(() => utils$1.isReadableStream(new Response('').body)); @@ -198629,8 +199702,12 @@ const factory = env => { responseType, headers, withCredentials = 'same-origin', - fetchOptions + fetchOptions, + maxContentLength, + maxBodyLength } = resolveConfig(config); + const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1; + const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1; let _fetch = envFetch || fetch; responseType = responseType ? (responseType + '').toLowerCase() : 'text'; let composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout); @@ -198640,6 +199717,26 @@ const factory = env => { }); let requestContentLength; try { + // Enforce maxContentLength for data: URLs up-front so we never materialize + // an oversized payload. The HTTP adapter applies the same check (see http.js + // "if (protocol === 'data:')" branch). + if (hasMaxContentLength && typeof url === 'string' && url.startsWith('data:')) { + const estimated = estimateDataURLDecodedBytes(url); + if (estimated > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } + + // Enforce maxBodyLength against the outbound request body before dispatch. + // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than + // maxBodyLength limit'). Skip when the body length cannot be determined + // (e.g. a live ReadableStream supplied by the caller). + if (hasMaxBodyLength && method !== 'get' && method !== 'head') { + const outboundLength = await resolveBodyLength(headers, data); + if (typeof outboundLength === 'number' && isFinite(outboundLength) && outboundLength > maxBodyLength) { + throw new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request); + } + } if (onUploadProgress && supportsRequestStream && method !== 'get' && method !== 'head' && (requestContentLength = await resolveBodyLength(headers, data)) !== 0) { let _request = new Request(url, { method: 'POST', @@ -198662,32 +199759,82 @@ const factory = env => { // Cloudflare Workers throws when credentials are defined // see https://github.com/cloudflare/workerd/issues/902 const isCredentialsSupported = isRequestSupported && 'credentials' in Request.prototype; + + // If data is FormData and Content-Type is multipart/form-data without boundary, + // delete it so fetch can set it correctly with the boundary + if (utils$1.isFormData(data)) { + const contentType = headers.getContentType(); + if (contentType && /^multipart\/form-data/i.test(contentType) && !/boundary=/i.test(contentType)) { + headers.delete('content-type'); + } + } + + // Set User-Agent header if not already set (fetch defaults to 'node' in Node.js) + headers.set('User-Agent', 'axios/' + VERSION, false); const resolvedOptions = { ...fetchOptions, signal: composedSignal, method: method.toUpperCase(), - headers: headers.normalize().toJSON(), + headers: toByteStringHeaderObject(headers.normalize()), body: data, duplex: 'half', credentials: isCredentialsSupported ? withCredentials : undefined }; request = isRequestSupported && new Request(url, resolvedOptions); let response = await (isRequestSupported ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions)); + + // Cheap pre-check: if the server honestly declares a content-length that + // already exceeds the cap, reject before we start streaming. + if (hasMaxContentLength) { + const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length')); + if (declaredLength != null && declaredLength > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } const isStreamResponse = supportsResponseStream && (responseType === 'stream' || responseType === 'response'); - if (supportsResponseStream && (onDownloadProgress || isStreamResponse && unsubscribe)) { + if (supportsResponseStream && response.body && (onDownloadProgress || hasMaxContentLength || isStreamResponse && unsubscribe)) { const options = {}; ['status', 'statusText', 'headers'].forEach(prop => { options[prop] = response[prop]; }); const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length')); const [onProgress, flush] = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || []; - response = new Response(trackStream(response.body, DEFAULT_CHUNK_SIZE, onProgress, () => { + let bytesRead = 0; + const onChunkProgress = loadedBytes => { + if (hasMaxContentLength) { + bytesRead = loadedBytes; + if (bytesRead > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } + onProgress && onProgress(loadedBytes); + }; + response = new Response(trackStream(response.body, DEFAULT_CHUNK_SIZE, onChunkProgress, () => { flush && flush(); unsubscribe && unsubscribe(); }), options); } responseType = responseType || 'text'; let responseData = await resolvers[utils$1.findKey(resolvers, responseType) || 'text'](response, config); + + // Fallback enforcement for environments without ReadableStream support + // (legacy runtimes). Detect materialized size from typed output; skip + // streams/Response passthrough since the user will read those themselves. + if (hasMaxContentLength && !supportsResponseStream && !isStreamResponse) { + let materializedSize; + if (responseData != null) { + if (typeof responseData.byteLength === 'number') { + materializedSize = responseData.byteLength; + } else if (typeof responseData.size === 'number') { + materializedSize = responseData.size; + } else if (typeof responseData === 'string') { + materializedSize = typeof TextEncoder === 'function' ? new TextEncoder().encode(responseData).byteLength : responseData.length; + } + } + if (typeof materializedSize === 'number' && materializedSize > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } !isStreamResponse && unsubscribe && unsubscribe(); return await new Promise((resolve, reject) => { settle(resolve, reject, { @@ -198701,6 +199848,17 @@ const factory = env => { }); } catch (err) { unsubscribe && unsubscribe(); + + // Safari can surface fetch aborts as a DOMException-like object whose + // branded getters throw. Prefer our composed signal reason before reading + // the caught error, preserving timeout vs cancellation semantics. + if (composedSignal && composedSignal.aborted && composedSignal.reason instanceof AxiosError) { + const canceledError = composedSignal.reason; + canceledError.config = config; + request && (canceledError.request = request); + err !== canceledError && (canceledError.cause = err); + throw canceledError; + } if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) { throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response), { cause: err.cause || err @@ -198755,13 +199913,17 @@ const knownAdapters = { utils$1.forEach(knownAdapters, (fn, value) => { if (fn) { try { + // Null-proto descriptors so a polluted Object.prototype.get cannot turn + // these data descriptors into accessor descriptors on the way in. Object.defineProperty(fn, 'name', { + __proto__: null, value }); } catch (e) { // eslint-disable-next-line no-empty } Object.defineProperty(fn, 'adapterName', { + __proto__: null, value }); } @@ -198876,8 +200038,15 @@ function dispatchRequest(config) { return adapter(config).then(function onAdapterResolution(response) { throwIfCancellationRequested(config); - // Transform response data - response.data = transformData.call(config, config.transformResponse, response); + // Expose the current response on config so that transformResponse can + // attach it to any AxiosError it throws (e.g. on JSON parse failure). + // We clean it up afterwards to avoid polluting the config object. + config.response = response; + try { + response.data = transformData.call(config, config.transformResponse, response); + } finally { + delete config.response; + } response.headers = AxiosHeaders.from(response.headers); return response; }, function onAdapterRejection(reason) { @@ -198886,7 +200055,12 @@ function dispatchRequest(config) { // Transform response data if (reason && reason.response) { - reason.response.data = transformData.call(config, config.transformResponse, reason.response); + config.response = reason.response; + try { + reason.response.data = transformData.call(config, config.transformResponse, reason.response); + } finally { + delete config.response; + } reason.response.headers = AxiosHeaders.from(reason.response.headers); } } @@ -198957,7 +200131,9 @@ function assertOptions(options, schema, allowUnknown) { let i = keys.length; while (i-- > 0) { const opt = keys[i]; - const validator = schema[opt]; + // Use hasOwnProperty so a polluted Object.prototype. cannot supply + // a non-function validator and cause a TypeError. + const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; if (validator) { const value = options[opt]; const result = value === undefined || validator(value, opt, options); @@ -199089,7 +200265,7 @@ class Axios { // Flatten headers let contextHeaders = headers && utils$1.merge(headers.common, headers[config.method]); - headers && utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'common'], method => { + headers && utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query', 'common'], method => { delete headers[method]; }); config.headers = AxiosHeaders.concat(contextHeaders, headers); @@ -199170,7 +200346,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa })); }; }); -utils$1.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) { +utils$1.forEach(['post', 'put', 'patch', 'query'], function forEachMethodWithData(method) { function generateHTTPMethod(isForm) { return function httpMethod(url, data, config) { return this.request(mergeConfig(config || {}, { @@ -199184,7 +200360,12 @@ utils$1.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) }; } Axios.prototype[method] = generateHTTPMethod(); - Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + + // QUERY is a safe/idempotent read method; multipart form bodies don't fit + // its semantics, so no queryForm shorthand is generated. + if (method !== 'query') { + Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + } }); /** @@ -215072,20 +216253,349 @@ class Matcher { return this._view; } } +;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/util.js + + +function safeComment(val) { + return String(val) + .replace(/--/g, '- -') // -- is illegal anywhere in comment content + .replace(/--/g, '- -') // handle the scenario when 2 consiucative dashes appears + .replace(/-$/, '- '); // trailing - would form -- with the closing --> +} + +function safeCdata(val) { + return String(val).replace(/\]\]>/g, ']]]]>') +} + +function escapeAttribute(val) { + return String(val).replace(/"/g, '"').replace(/'/g, ''') +} +;// CONCATENATED MODULE: ./node_modules/xml-naming/src/index.js +/** + * xml-naming + * Validates XML Name productions as defined in the XML 1.0 and 1.1 specifications. + * Covers: Name, NCName, QName, NMToken, NMTokens + * + * XML 1.0 spec: https://www.w3.org/TR/xml/#NT-Name + * XML 1.1 spec: https://www.w3.org/TR/xml11/#NT-NameStartChar + * XML NS spec: https://www.w3.org/TR/xml-names/#NT-NCName + */ + +// --------------------------------------------------------------------------- +// Character class strings — XML 1.0 +// +// NameStartChar ::= ":" | [A-Z] | "_" | [a-z] +// | [#xC0-#xD6] | [#xD8-#xF6] | [#xF8-#x2FF] +// | [#x370-#x37D] | [#x37F-#x1FFF] <- split to exclude #x0487 +// | [#x200C-#x200D] +// | [#x2070-#x218F] | [#x2C00-#x2FEF] +// | [#x3001-#xD7FF] | [#xF900-#xFDCF] | [#xFDF0-#xFFFD] +// +// NameChar ::= NameStartChar | "-" | "." | [0-9] +// | #xB7 | [#x0300-#x036F] | [#x203F-#x2040] +// +// Note: \u0487 (Combining Cyrillic Millions Sign) was added in Unicode 4.0, +// after XML 1.0 was defined against Unicode 2.0. It falls inside the range +// \u037F-\u1FFF but must be excluded. We split that range into +// \u037F-\u0486 and \u0488-\u1FFF to exclude it explicitly. +// --------------------------------------------------------------------------- + +const nameStartChar10 = + ':A-Za-z_' + + '\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF' + + '\u0370-\u037D' + + '\u037F-\u0486\u0488-\u1FFF' + // split to exclude \u0487 + '\u200C-\u200D' + + '\u2070-\u218F' + + '\u2C00-\u2FEF' + + '\u3001-\uD7FF' + + '\uF900-\uFDCF' + + '\uFDF0-\uFFFD'; + +const nameChar10 = + nameStartChar10 + + '\\-\\.\\d' + + '\u00B7' + + '\u0300-\u036F' + + '\u203F-\u2040'; + +// --------------------------------------------------------------------------- +// Character class strings — XML 1.1 +// +// Differences from XML 1.0: +// +// NameStartChar: +// 1.0 has split ranges: \u00C0-\u00D6, \u00D8-\u00F6, \u00F8-\u02FF +// 1.1 merges them into: \u00C0-\u02FF +// (\u00D7 x and \u00F7 / are division symbols, excluded in both versions) +// +// 1.0 tops out at \uFFFD (BMP only) +// 1.1 adds \u{10000}-\u{EFFFF} (supplementary planes) +// These require the /u flag on the RegExp — see buildRegexes below. +// +// NameChar: +// 1.1 adds \u0487 (Combining Cyrillic Millions Sign, added in Unicode 4.0) +// --------------------------------------------------------------------------- + +const nameStartChar11 = + ':A-Za-z_' + + '\u00C0-\u02FF' + // merged — 1.0 had three split ranges here + '\u0370-\u037D' + + '\u037F-\u0486\u0488-\u1FFF' + // split to exclude \u0487 (combining mark, never a NameStartChar) + '\u200C-\u200D' + + '\u2070-\u218F' + + '\u2C00-\u2FEF' + + '\u3001-\uD7FF' + + '\uF900-\uFDCF' + + '\uFDF0-\uFFFD' + + '\u{10000}-\u{EFFFF}'; // supplementary planes — REQUIRES /u flag on RegExp + +const nameChar11 = + nameStartChar11 + + '\\-\\.\\d' + + '\u00B7' + + '\u0300-\u036F' + + '\u0487' + // Combining Cyrillic Millions Sign — valid in 1.1, not 1.0 + '\u203F-\u2040'; + +// --------------------------------------------------------------------------- +// Regex builders +// +// XML 1.0 regexes: no flags — BMP only, standard JS regex behaviour. +// XML 1.1 regexes: /u flag — required for \u{10000}-\u{EFFFF} to match actual +// supplementary code points rather than lone surrogates (which are illegal XML). +// --------------------------------------------------------------------------- + +const buildRegexes = (startChar, char, flags = '') => { + const ncStart = startChar.replace(':', ''); + const ncChar = char.replace(':', ''); + const ncNamePat = `[${ncStart}][${ncChar}]*`; + + return { + name: new RegExp(`^[${startChar}][${char}]*$`, flags), + ncName: new RegExp(`^${ncNamePat}$`, flags), + qName: new RegExp(`^${ncNamePat}(?::${ncNamePat})?$`, flags), + nmToken: new RegExp(`^[${char}]+$`, flags), + nmTokens: new RegExp(`^[${char}]+(?:\\s+[${char}]+)*$`, flags), + }; +}; + +const regexes10 = buildRegexes(nameStartChar10, nameChar10); // no /u — BMP only +const regexes11 = buildRegexes(nameStartChar11, nameChar11, 'u'); // /u — enables \u{10000}-\u{EFFFF} + +const getRegexes = (xmlVersion = '1.0') => + xmlVersion === '1.1' ? regexes11 : regexes10; + +// --------------------------------------------------------------------------- +// Boolean validators +// --------------------------------------------------------------------------- + +/** + * Returns true if the string is a valid XML Name. + * Colons are allowed anywhere (Name production). + * Used for: DOCTYPE entity names, notation names, DTD element declarations. + */ +const src_name = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).name.test(str); + +/** + * Returns true if the string is a valid NCName (Non-Colonized Name). + * Colons are not permitted. + * Used for: namespace prefixes, local names, SVG id attributes. + */ +const ncName = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).ncName.test(str); + +/** + * Returns true if the string is a valid QName (Qualified Name). + * Allows exactly one colon as a prefix separator: prefix:localName. + * Used for: element and attribute names in namespace-aware XML/SVG. + */ +const qName = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).qName.test(str); + +/** + * Returns true if the string is a valid NMToken. + * Like Name but no restriction on the first character. + * Used for: DTD NMTOKEN attribute values. + */ +const nmToken = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).nmToken.test(str); + +/** + * Returns true if the string is a valid NMTokens value. + * A whitespace-separated list of NMToken values. + * Used for: DTD NMTOKENS attribute values. + */ +const nmTokens = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).nmTokens.test(str); + +// --------------------------------------------------------------------------- +// Diagnostic validator +// --------------------------------------------------------------------------- + +const PRODUCTIONS = (/* unused pure expression or super */ null && (['name', 'ncName', 'qName', 'nmToken', 'nmTokens'])); + +/** + * Validates a string against a named production and returns a detailed result. + * + * @param {string} str + * @param {'name'|'ncName'|'qName'|'nmToken'|'nmTokens'} production + * @param {{ xmlVersion?: '1.0'|'1.1' }} [opts] + * @returns {{ valid: boolean, production: string, input: string, reason?: string, position?: number }} + */ +const validate = (str, production, { xmlVersion = '1.0' } = {}) => { + if (!PRODUCTIONS.includes(production)) { + throw new TypeError( + `Unknown production "${production}". Must be one of: ${PRODUCTIONS.join(', ')}` + ); + } + + const validators = { name: src_name, ncName, qName, nmToken, nmTokens }; + const isValid = validators[production](str, { xmlVersion }); + + if (isValid) return { valid: true, production, input: str }; + + let reason = 'Does not match the production rules'; + let position; + + if (str.length === 0) { + reason = 'Input is empty'; + } else if (production === 'ncName' && str.includes(':')) { + position = str.indexOf(':'); + reason = 'Colon is not allowed in NCName'; + } else if (production === 'qName' && str.startsWith(':')) { + reason = 'QName cannot start with a colon'; + position = 0; + } else if (production === 'qName' && str.endsWith(':')) { + reason = 'QName cannot end with a colon'; + position = str.length - 1; + } else if (production === 'qName' && (str.match(/:/g) || []).length > 1) { + reason = 'QName can have at most one colon'; + position = str.lastIndexOf(':'); + } else if ( + ['name', 'ncName', 'qName'].includes(production) && + !/^[:A-Za-z_\u00C0-\uFFFD]/.test(str[0]) + ) { + reason = `First character "${str[0]}" is not a valid NameStartChar`; + position = 0; + } else { + for (let i = 0; i < str.length; i++) { + if (!/[\w\-\\.:\u00B7\u00C0-\uFFFD]/.test(str[i])) { + reason = `Character "${str[i]}" at position ${i} is not a valid NameChar`; + position = i; + break; + } + } + } + + return { valid: false, production, input: str, reason, position }; +}; + +// --------------------------------------------------------------------------- +// Batch validator +// --------------------------------------------------------------------------- + +/** + * Validates an array of strings against a named production. + * + * @param {string[]} strings + * @param {'name'|'ncName'|'qName'|'nmToken'|'nmTokens'} production + * @param {{ xmlVersion?: '1.0'|'1.1' }} [opts] + * @returns {Array<{ valid: boolean, production: string, input: string, reason?: string, position?: number }>} + */ +const validateAll = (strings, production, opts = {}) => + strings.map(str => validate(str, production, opts)); + +// --------------------------------------------------------------------------- +// Sanitizer +// --------------------------------------------------------------------------- + +/** + * Transforms an invalid string into the nearest valid XML name for the given production. + * + * @param {string} str + * @param {'name'|'ncName'|'qName'|'nmToken'|'nmTokens'} production + * @param {{ replacement?: string }} [opts] + * @returns {string} + */ +const sanitize = (str, production = 'name', { replacement = '_' } = {}) => { + if (!str) return replacement; + + let result = str; + + // Strip colons for NCName + if (production === 'ncName') { + result = result.replace(/:/g, ''); + } + + // Replace illegal characters + result = result.replace(/[^\w\-\.:\u00B7\u00C0-\uFFFD]/g, replacement); + + // Fix invalid start character for Name / NCName / QName + if (production !== 'nmToken' && production !== 'nmTokens') { + if (/^[\-\.\d]/.test(result)) { + result = replacement + result; + } + } + + return result || replacement; +}; ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/orderedJs2Xml.js + + const EOL = "\n"; /** - * - * @param {array} jArray - * @param {any} options - * @returns + * Detect XML version from the first element of the ordered array input. + * The first element must be a ?xml processing instruction with a version attribute. + * Returns '1.0' if not found. + * + * @param {array} jArray + * @param {object} options + */ +function detectXmlVersionFromArray(jArray, options) { + if (!Array.isArray(jArray) || jArray.length === 0) return '1.0'; + const first = jArray[0]; + const firstKey = propName(first); + if (firstKey === '?xml') { + const attrs = first[':@']; + if (attrs) { + const versionKey = options.attributeNamePrefix + 'version'; + if (attrs[versionKey]) return attrs[versionKey]; + } + } + return '1.0'; +} + +/** + * Resolve a tag or attribute name through sanitizeName if configured. + * Validation via xml-naming's qName is performed first; the sanitizeName + * callback is invoked only when the name is invalid. If sanitizeName is + * false (default), no validation occurs and the name is used as-is. + * + * @param {string} name - raw name from the JS object + * @param {boolean} isAttribute - true when resolving an attribute name + * @param {object} options + * @param {Matcher} matcher - current matcher state (readonly from callback perspective) + * @param {string} xmlVersion - '1.0' or '1.1', forwarded to xml-naming + */ +function resolveTagName(name, isAttribute, options, matcher, xmlVersion) { + if (!options.sanitizeName) return name; + if (qName(name, { xmlVersion })) return name; + return options.sanitizeName(name, { isAttribute, matcher: matcher.readOnly() }); +} + +/** + * @param {array} jArray + * @param {any} options + * @returns */ function toXml(jArray, options) { let indentation = ""; - if (options.format && options.indentBy.length > 0) { + if (options.format) { indentation = EOL; } @@ -215102,13 +216612,16 @@ function toXml(jArray, options) { } } + // Detect XML version for use in name validation + const xmlVersion = detectXmlVersionFromArray(jArray, options); + // Initialize matcher for path tracking const matcher = new Matcher(); - return arrToStr(jArray, options, indentation, matcher, stopNodeExpressions); + return arrToStr(jArray, options, indentation, matcher, stopNodeExpressions, xmlVersion); } -function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { +function arrToStr(arr, options, indentation, matcher, stopNodeExpressions, xmlVersion) { let xmlStr = ""; let isPreviousElementTag = false; @@ -215128,20 +216641,32 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { for (let i = 0; i < arr.length; i++) { const tagObj = arr[i]; - const tagName = propName(tagObj); - if (tagName === undefined) continue; + const rawTagName = propName(tagObj); + if (rawTagName === undefined) continue; + + // Special names are exempt from sanitizeName: internal conventions and PI tags + // are not user-supplied XML element names. + const isSpecialName = rawTagName === options.textNodeName + || rawTagName === options.cdataPropName + || rawTagName === options.commentPropName + || rawTagName[0] === '?'; + + // Resolve tag name (may transform it; may throw for invalid names) + const tagName = isSpecialName + ? rawTagName + : resolveTagName(rawTagName, false, options, matcher, xmlVersion); // Extract attributes from ":@" property const attrValues = extractAttributeValues(tagObj[":@"], options); - // Push tag to matcher WITH attributes + // Push resolved tag to matcher WITH attributes matcher.push(tagName, attrValues); // Check if this is a stop node using Expression matching const isStopNode = checkStopNode(matcher, stopNodeExpressions); if (tagName === options.textNodeName) { - let tagText = tagObj[tagName]; + let tagText = tagObj[rawTagName]; if (!isStopNode) { tagText = options.tagValueProcessor(tagName, tagText); tagText = replaceEntitiesValue(tagText, options); @@ -215157,27 +216682,25 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { if (isPreviousElementTag) { xmlStr += indentation; } - const val = tagObj[tagName][0][options.textNodeName]; - const safeVal = String(val).replace(/\]\]>/g, ']]]]>'); + const val = tagObj[rawTagName][0][options.textNodeName]; + const safeVal = safeCdata(val); xmlStr += ``; isPreviousElementTag = false; matcher.pop(); continue; } else if (tagName === options.commentPropName) { - const val = tagObj[tagName][0][options.textNodeName] - const safeVal = String(val) - .replace(/--/g, '- -') // -- is illegal anywhere in comment content - .replace(/-$/, '- '); // trailing - would form -- with the closing --> + const val = tagObj[rawTagName][0][options.textNodeName]; + const safeVal = safeComment(val); xmlStr += indentation + ``; isPreviousElementTag = true; matcher.pop(); continue; } else if (tagName[0] === "?") { - const attStr = attr_to_str(tagObj[":@"], options, isStopNode); + const attStr = attr_to_str(tagObj[":@"], options, isStopNode, matcher, xmlVersion); const tempInd = tagName === "?xml" ? "" : indentation; - let piTextNodeName = tagObj[tagName][0][options.textNodeName]; - piTextNodeName = piTextNodeName.length !== 0 ? " " + piTextNodeName : ""; //remove extra spacing - xmlStr += tempInd + `<${tagName}${piTextNodeName}${attStr}?>`; + // Text node content on PI/XML declaration tags is intentionally ignored. + // Only attributes are valid on these tags per the XML spec. + xmlStr += tempInd + `<${tagName}${attStr}?>`; isPreviousElementTag = true; matcher.pop(); continue; @@ -215189,16 +216712,15 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { } // Pass isStopNode to attr_to_str so attributes are also not processed for stopNodes - const attStr = attr_to_str(tagObj[":@"], options, isStopNode); + const attStr = attr_to_str(tagObj[":@"], options, isStopNode, matcher, xmlVersion); const tagStart = indentation + `<${tagName}${attStr}`; // If this is a stopNode, get raw content without processing let tagValue; if (isStopNode) { - tagValue = orderedJs2Xml_getRawContent(tagObj[tagName], options); + tagValue = orderedJs2Xml_getRawContent(tagObj[rawTagName], options); } else { - - tagValue = arrToStr(tagObj[tagName], options, newIdentation, matcher, stopNodeExpressions); + tagValue = arrToStr(tagObj[rawTagName], options, newIdentation, matcher, stopNodeExpressions, xmlVersion); } if (options.unpairedTags.indexOf(tagName) !== -1) { @@ -215242,7 +216764,7 @@ function extractAttributeValues(attrMap, options) { const cleanAttrName = attr.startsWith(options.attributeNamePrefix) ? attr.substr(options.attributeNamePrefix.length) : attr; - attrValues[cleanAttrName] = attrMap[attr]; + attrValues[cleanAttrName] = escapeAttribute(attrMap[attr]); hasAttrs = true; } @@ -215280,9 +216802,7 @@ function orderedJs2Xml_getRawContent(arr, options) { // Processing instruction - skip for stopNodes continue; } else if (tagName) { - // Nested tags within stopNode - // Recursively get raw content and reconstruct the tag - // For stopNodes, we don't process attributes either + // Nested tags within stopNode — no sanitizeName, content is raw const attStr = attr_to_str_raw(item[":@"], options); const nestedContent = orderedJs2Xml_getRawContent(item[tagName], options); @@ -215309,7 +216829,7 @@ function attr_to_str_raw(attrMap, options) { if (attrVal === true && options.suppressBooleanAttributes) { attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}`; } else { - attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}="${attrVal}"`; + attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}="${escapeAttribute(attrVal)}"`; } } } @@ -215325,13 +216845,23 @@ function propName(obj) { } } -function attr_to_str(attrMap, options, isStopNode) { +/** + * Build attribute string, resolving attribute names through sanitizeName when configured. + * Accepts matcher so the callback has path context. + */ +function attr_to_str(attrMap, options, isStopNode, matcher, xmlVersion) { let attrStr = ""; if (attrMap && !options.ignoreAttributes) { for (let attr in attrMap) { if (!Object.prototype.hasOwnProperty.call(attrMap, attr)) continue; - let attrVal; + // Strip prefix to get the clean XML attribute name, then optionally sanitize it + const cleanAttrName = attr.substr(options.attributeNamePrefix.length); + const resolvedAttrName = isStopNode + ? cleanAttrName // stopNodes are raw — skip sanitizeName for attr names too + : resolveTagName(cleanAttrName, true, options, matcher, xmlVersion); + + let attrVal; if (isStopNode) { // For stopNodes, use raw value without any processing attrVal = attrMap[attr]; @@ -215342,9 +216872,9 @@ function attr_to_str(attrMap, options, isStopNode) { } if (attrVal === true && options.suppressBooleanAttributes) { - attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}`; + attrStr += ` ${resolvedAttrName}`; } else { - attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}="${attrVal}"`; + attrStr += ` ${resolvedAttrName}="${escapeAttribute(attrVal)}"`; } } } @@ -215371,14 +216901,6 @@ function replaceEntitiesValue(textValue, options) { } return textValue; } - -function cdataVal(val) { - -} - -function commentVal(val) { - -} ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/ignoreAttributes.js function getIgnoreAttributesFn(ignoreAttributes) { if (typeof ignoreAttributes === 'function') { @@ -215405,6 +216927,8 @@ function getIgnoreAttributesFn(ignoreAttributes) { + + const defaultOptions = { attributeNamePrefix: '@_', attributesGroupName: false, @@ -215438,7 +216962,11 @@ const defaultOptions = { // transformAttributeName: false, oneListGroup: false, maxNestedTags: 100, - jPath: true // When true, callbacks receive string jPath; when false, receive Matcher instance + jPath: true, // When true, callbacks receive string jPath; when false, receive Matcher instance + sanitizeName: false // false = allow all names as-is (default, backward-compatible). + // Set to a function (name, { isAttribute, matcher }) => string to + // validate/sanitize tag and attribute names. Throw inside the function + // to reject an invalid name. }; function Builder(options) { @@ -215495,6 +217023,44 @@ function Builder(options) { } } +/** + * Detect XML version from the ?xml declaration at the root of a plain-object input. + * Checks both attributesGroupName and flat attribute forms. + * Returns '1.0' if no declaration is found. + */ +function detectXmlVersionFromObj(jObj, options) { + const decl = jObj['?xml']; + if (decl && typeof decl === 'object') { + // attributesGroupName path e.g. { '$$': { '@_version': '1.1' } } + if (options.attributesGroupName && decl[options.attributesGroupName]) { + const v = decl[options.attributesGroupName][options.attributeNamePrefix + 'version']; + if (v) return v; + } + // flat attribute path e.g. { '@_version': '1.1' } + const v = decl[options.attributeNamePrefix + 'version']; + if (v) return v; + } + return '1.0'; +} + +/** + * Resolve a tag or attribute name through sanitizeName if configured. + * Validation via xml-naming's qName is performed first; the sanitizeName + * callback is invoked only when the name is invalid. If sanitizeName is + * false (default), no validation occurs and the name is used as-is. + * + * @param {string} name - raw name from the JS object + * @param {boolean} isAttribute - true when resolving an attribute name + * @param {object} options + * @param {Matcher} matcher - current matcher state (readonly from callback perspective) + * @param {string} xmlVersion - '1.0' or '1.1', forwarded to xml-naming + */ +function fxb_resolveTagName(name, isAttribute, options, matcher, xmlVersion) { + if (!options.sanitizeName) return name; + if (qName(name, { xmlVersion })) return name; + return options.sanitizeName(name, { isAttribute, matcher: matcher.readOnly() }); +} + Builder.prototype.build = function (jObj) { if (this.options.preserveOrder) { return toXml(jObj, this.options); @@ -215506,11 +217072,12 @@ Builder.prototype.build = function (jObj) { } // Initialize matcher for path tracking const matcher = new Matcher(); - return this.j2x(jObj, 0, matcher).val; + const xmlVersion = detectXmlVersionFromObj(jObj, this.options); + return this.j2x(jObj, 0, matcher, xmlVersion).val; } }; -Builder.prototype.j2x = function (jObj, level, matcher) { +Builder.prototype.j2x = function (jObj, level, matcher, xmlVersion) { let attrStr = ''; let val = ''; if (this.options.maxNestedTags && matcher.getDepth() >= this.options.maxNestedTags) { @@ -215524,6 +217091,22 @@ Builder.prototype.j2x = function (jObj, level, matcher) { for (let key in jObj) { if (!Object.prototype.hasOwnProperty.call(jObj, key)) continue; + + // Resolve the key through sanitizeName before any use. + // Special keys (textNodeName, cdataPropName, commentPropName, attributeNamePrefix, + // attributesGroupName, "?" PI tags) are exempt — they are builder-internal conventions, + // not user-supplied XML names. + const isSpecialKey = key === this.options.textNodeName + || key === this.options.cdataPropName + || key === this.options.commentPropName + || (this.options.attributesGroupName && key === this.options.attributesGroupName) + || this.isAttribute(key) + || key[0] === '?'; + + const resolvedKey = isSpecialKey + ? key + : fxb_resolveTagName(key, false, this.options, matcher, xmlVersion); + if (typeof jObj[key] === 'undefined') { // supress undefined node only if it is not an attribute if (this.isAttribute(key)) { @@ -215533,21 +217116,22 @@ Builder.prototype.j2x = function (jObj, level, matcher) { // null attribute should be ignored by the attribute list, but should not cause the tag closing if (this.isAttribute(key)) { val += ''; - } else if (key === this.options.cdataPropName) { + } else if (resolvedKey === this.options.cdataPropName || resolvedKey === this.options.commentPropName) { val += ''; - } else if (key[0] === '?') { - val += this.indentate(level) + '<' + key + '?' + this.tagEndChar; + } else if (resolvedKey[0] === '?') { + val += this.indentate(level) + '<' + resolvedKey + '?' + this.tagEndChar; } else { - val += this.indentate(level) + '<' + key + '/' + this.tagEndChar; + val += this.indentate(level) + '<' + resolvedKey + '/' + this.tagEndChar; } - // val += this.indentate(level) + '<' + key + '/' + this.tagEndChar; } else if (jObj[key] instanceof Date) { - val += this.buildTextValNode(jObj[key], key, '', level, matcher); + val += this.buildTextValNode(jObj[key], resolvedKey, '', level, matcher); } else if (typeof jObj[key] !== 'object') { //premitive type const attr = this.isAttribute(key); if (attr && !this.ignoreAttributesFn(attr, jPath)) { - attrStr += this.buildAttrPairStr(attr, '' + jObj[key], isCurrentStopNode); + // Resolve the attribute name through sanitizeName + const resolvedAttr = fxb_resolveTagName(attr, true, this.options, matcher, xmlVersion); + attrStr += this.buildAttrPairStr(resolvedAttr, '' + jObj[key], isCurrentStopNode); } else if (!attr) { //tag value if (key === this.options.textNodeName) { @@ -215555,7 +217139,7 @@ Builder.prototype.j2x = function (jObj, level, matcher) { val += this.replaceEntitiesValue(newval); } else { // Check if this is a stopNode before building - matcher.push(key); + matcher.push(resolvedKey); const isStopNode = this.checkStopNode(matcher); matcher.pop(); @@ -215563,12 +217147,12 @@ Builder.prototype.j2x = function (jObj, level, matcher) { // Build as raw content without encoding const textValue = '' + jObj[key]; if (textValue === '') { - val += this.indentate(level) + '<' + key + this.closeTag(key) + this.tagEndChar; + val += this.indentate(level) + '<' + resolvedKey + this.closeTag(resolvedKey) + this.tagEndChar; } else { - val += this.indentate(level) + '<' + key + '>' + textValue + '' + textValue + '' + textValue + '' + textValue + '/g, ']]]]>'); + const safeVal = safeCdata(val); return this.indentate(level) + `` + this.newLine; } else if (this.options.commentPropName !== false && key === this.options.commentPropName) { - const safeVal = String(val) - .replace(/--/g, '- -') // -- is illegal anywhere in comment content - .replace(/-$/, '- '); // trailing - would form -- with the closing --> + const safeVal = safeComment(val); return this.indentate(level) + `` + this.newLine; } else if (key[0] === "?") {//PI tag return this.indentate(level) + '<' + key + attrStr + '?' + this.tagEndChar; @@ -216012,7 +217600,7 @@ const validator_defaultOptions = { }; //const tagsPattern = new RegExp("<\\/?([\\w:\\-_\.]+)\\s*\/?>","g"); -function validate(xmlData, options) { +function validator_validate(xmlData, options) { options = Object.assign({}, validator_defaultOptions, options); //xmlData = xmlData.replace(/(\r\n|\n|\r)/gm,"");//make it single line @@ -216436,7 +218024,7 @@ function getPositionFromMatch(match) { const XMLValidator = { - validate: validate + validate: validator_validate } ;// CONCATENATED MODULE: ./node_modules/fast-xml-parser/src/xmlparser/OptionsBuilder.js @@ -220211,7 +221799,7 @@ class XMLParser { if (validationOption) { if (validationOption === true) validationOption = {}; //validate with default options - const result = validate(xmlData, validationOption); + const result = validator_validate(xmlData, validationOption); if (result !== true) { throw Error(`${result.err.msg}:${result.err.line}:${result.err.col}`) } @@ -251907,21 +253495,21 @@ const isFile = kindOfTest('File'); * also have a `name` and `type` attribute to specify filename and content type * * @see https://github.com/facebook/react-native/blob/26684cf3adf4094eb6c405d345a75bf8c7c0bf88/Libraries/Network/FormData.js#L68-L71 - * + * * @param {*} value The value to test - * + * * @returns {boolean} True if value is a React Native Blob, otherwise false */ const isReactNativeBlob = (value) => { return !!(value && typeof value.uri !== 'undefined'); -} +}; /** * Determine if environment is React Native * ReactNative `FormData` has a non-standard `getParts()` method - * + * * @param {*} formData The formData to test - * + * * @returns {boolean} True if environment is React Native, otherwise false */ const utils_isReactNative = (formData) => formData && typeof formData.getParts !== 'undefined'; @@ -251940,7 +253528,7 @@ const utils_isBlob = kindOfTest('Blob'); * * @param {*} val The value to test * - * @returns {boolean} True if value is a File, otherwise false + * @returns {boolean} True if value is a FileList, otherwise false */ const isFileList = kindOfTest('FileList'); @@ -251972,15 +253560,17 @@ const G = getGlobal(); const FormDataCtor = typeof G.FormData !== 'undefined' ? G.FormData : undefined; const isFormData = (thing) => { - let kind; - return thing && ( - (FormDataCtor && thing instanceof FormDataCtor) || ( - isFunction(thing.append) && ( - (kind = kindOf(thing)) === 'formdata' || - // detect form-data instance - (kind === 'object' && isFunction(thing.toString) && thing.toString() === '[object FormData]') - ) - ) + if (!thing) return false; + if (FormDataCtor && thing instanceof FormDataCtor) return true; + // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData. + const proto = getPrototypeOf(thing); + if (!proto || proto === Object.prototype) return false; + if (!isFunction(thing.append)) return false; + const kind = kindOf(thing); + return ( + kind === 'formdata' || + // detect form-data instance + (kind === 'object' && isFunction(thing.toString) && thing.toString() === '[object FormData]') ); }; @@ -252116,7 +253706,7 @@ const isContextDefined = (context) => !isUndefined(context) && context !== _glob * * @returns {Object} Result of all merge properties */ -function merge(/* obj1, obj2, obj3, ... */) { +function merge(...objs) { const { caseless, skipUndefined } = (isContextDefined(this) && this) || {}; const result = {}; const assignValue = (val, key) => { @@ -252126,8 +253716,12 @@ function merge(/* obj1, obj2, obj3, ... */) { } const targetKey = (caseless && findKey(result, key)) || key; - if (isPlainObject(result[targetKey]) && isPlainObject(val)) { - result[targetKey] = merge(result[targetKey], val); + // Read via own-prop only — a bare `result[targetKey]` walks the prototype + // chain, so a polluted Object.prototype value could surface here and get + // copied into the merged result. + const existing = utils_hasOwnProperty(result, targetKey) ? result[targetKey] : undefined; + if (isPlainObject(existing) && isPlainObject(val)) { + result[targetKey] = merge(existing, val); } else if (isPlainObject(val)) { result[targetKey] = merge({}, val); } else if (isArray(val)) { @@ -252137,8 +253731,8 @@ function merge(/* obj1, obj2, obj3, ... */) { } }; - for (let i = 0, l = arguments.length; i < l; i++) { - arguments[i] && forEach(arguments[i], assignValue); + for (let i = 0, l = objs.length; i < l; i++) { + objs[i] && forEach(objs[i], assignValue); } return result; } @@ -252160,6 +253754,9 @@ const utils_extend = (a, b, thisArg, { allOwnKeys } = {}) => { (val, key) => { if (thisArg && isFunction(val)) { Object.defineProperty(a, key, { + // Null-proto descriptor so a polluted Object.prototype.get cannot + // hijack defineProperty's accessor-vs-data resolution. + __proto__: null, value: bind(val, thisArg), writable: true, enumerable: true, @@ -252167,6 +253764,7 @@ const utils_extend = (a, b, thisArg, { allOwnKeys } = {}) => { }); } else { Object.defineProperty(a, key, { + __proto__: null, value: val, writable: true, enumerable: true, @@ -252205,12 +253803,14 @@ const stripBOM = (content) => { const inherits = (constructor, superConstructor, props, descriptors) => { constructor.prototype = Object.create(superConstructor.prototype, descriptors); Object.defineProperty(constructor.prototype, 'constructor', { + __proto__: null, value: constructor, writable: true, enumerable: false, configurable: true, }); Object.defineProperty(constructor, 'super', { + __proto__: null, value: superConstructor.prototype, }); props && Object.assign(constructor.prototype, props); @@ -252392,7 +253992,7 @@ const reduceDescriptors = (obj, reducer) => { const freezeMethods = (obj) => { reduceDescriptors(obj, (descriptor, name) => { // skip restricted props in strict mode - if (isFunction(obj) && ['arguments', 'caller', 'callee'].indexOf(name) !== -1) { + if (isFunction(obj) && ['arguments', 'caller', 'callee'].includes(name)) { return false; } @@ -252466,11 +254066,11 @@ function isSpecCompliantForm(thing) { * @returns {Object} The JSON-compatible object. */ const toJSONObject = (obj) => { - const stack = new Array(10); + const visited = new WeakSet(); - const visit = (source, i) => { + const visit = (source) => { if (utils_isObject(source)) { - if (stack.indexOf(source) >= 0) { + if (visited.has(source)) { return; } @@ -252480,15 +254080,16 @@ const toJSONObject = (obj) => { } if (!('toJSON' in source)) { - stack[i] = source; + // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230). + visited.add(source); const target = isArray(source) ? [] : {}; forEach(source, (value, key) => { - const reducedValue = visit(value, i + 1); + const reducedValue = visit(value); !isUndefined(reducedValue) && (target[key] = reducedValue); }); - stack[i] = undefined; + visited.delete(source); return target; } @@ -252497,7 +254098,7 @@ const toJSONObject = (obj) => { return source; }; - return visit(obj, 0); + return visit(obj); }; /** @@ -252633,11 +254234,564 @@ const isIterable = (thing) => thing != null && isFunction(thing[iterator]); isIterable, }); +;// CONCATENATED MODULE: ./node_modules/axios/lib/helpers/parseHeaders.js + + + + +// RawAxiosHeaders whose duplicates are ignored by node +// c.f. https://nodejs.org/api/http.html#http_message_headers +const ignoreDuplicateOf = utils.toObjectSet([ + 'age', + 'authorization', + 'content-length', + 'content-type', + 'etag', + 'expires', + 'from', + 'host', + 'if-modified-since', + 'if-unmodified-since', + 'last-modified', + 'location', + 'max-forwards', + 'proxy-authorization', + 'referer', + 'retry-after', + 'user-agent', +]); + +/** + * Parse headers into an object + * + * ``` + * Date: Wed, 27 Aug 2014 08:58:49 GMT + * Content-Type: application/json + * Connection: keep-alive + * Transfer-Encoding: chunked + * ``` + * + * @param {String} rawHeaders Headers needing to be parsed + * + * @returns {Object} Headers parsed into an object + */ +/* harmony default export */ const parseHeaders = ((rawHeaders) => { + const parsed = {}; + let key; + let val; + let i; + + rawHeaders && + rawHeaders.split('\n').forEach(function parser(line) { + i = line.indexOf(':'); + key = line.substring(0, i).trim().toLowerCase(); + val = line.substring(i + 1).trim(); + + if (!key || (parsed[key] && ignoreDuplicateOf[key])) { + return; + } + + if (key === 'set-cookie') { + if (parsed[key]) { + parsed[key].push(val); + } else { + parsed[key] = [val]; + } + } else { + parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; + } + }); + + return parsed; +}); + +;// CONCATENATED MODULE: ./node_modules/axios/lib/helpers/sanitizeHeaderValue.js + + + + +function trimSPorHTAB(str) { + let start = 0; + let end = str.length; + + while (start < end) { + const code = str.charCodeAt(start); + + if (code !== 0x09 && code !== 0x20) { + break; + } + + start += 1; + } + + while (end > start) { + const code = str.charCodeAt(end - 1); + + if (code !== 0x09 && code !== 0x20) { + break; + } + + end -= 1; + } + + return start === 0 && end === str.length ? str : str.slice(start, end); +} + +// The control-code ranges are intentional: header sanitization strips C0/DEL bytes. +// eslint-disable-next-line no-control-regex +const INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp('[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+', 'g'); +// eslint-disable-next-line no-control-regex +const INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp('[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+', 'g'); + +function sanitizeValue(value, invalidChars) { + if (utils.isArray(value)) { + return value.map((item) => sanitizeValue(item, invalidChars)); + } + + return trimSPorHTAB(String(value).replace(invalidChars, '')); +} + +const sanitizeHeaderValue = (value) => + sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS); + +const sanitizeByteStringHeaderValue = (value) => + sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS); + +function toByteStringHeaderObject(headers) { + const byteStringHeaders = Object.create(null); + + utils.forEach(headers.toJSON(), (value, header) => { + byteStringHeaders[header] = sanitizeByteStringHeaderValue(value); + }); + + return byteStringHeaders; +} + +;// CONCATENATED MODULE: ./node_modules/axios/lib/core/AxiosHeaders.js + + + + + + +const $internals = Symbol('internals'); + +function normalizeHeader(header) { + return header && String(header).trim().toLowerCase(); +} + +function normalizeValue(value) { + if (value === false || value == null) { + return value; + } + + return utils.isArray(value) ? value.map(normalizeValue) : sanitizeHeaderValue(String(value)); +} + +function parseTokens(str) { + const tokens = Object.create(null); + const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; + let match; + + while ((match = tokensRE.exec(str))) { + tokens[match[1]] = match[2]; + } + + return tokens; +} + +const isValidHeaderName = (str) => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); + +function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { + if (utils.isFunction(filter)) { + return filter.call(this, value, header); + } + + if (isHeaderNameFilter) { + value = header; + } + + if (!utils.isString(value)) return; + + if (utils.isString(filter)) { + return value.indexOf(filter) !== -1; + } + + if (utils.isRegExp(filter)) { + return filter.test(value); + } +} + +function formatHeader(header) { + return header + .trim() + .toLowerCase() + .replace(/([a-z\d])(\w*)/g, (w, char, str) => { + return char.toUpperCase() + str; + }); +} + +function buildAccessors(obj, header) { + const accessorName = utils.toCamelCase(' ' + header); + + ['get', 'set', 'has'].forEach((methodName) => { + Object.defineProperty(obj, methodName + accessorName, { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: function (arg1, arg2, arg3) { + return this[methodName].call(this, header, arg1, arg2, arg3); + }, + configurable: true, + }); + }); +} + +class AxiosHeaders { + constructor(headers) { + headers && this.set(headers); + } + + set(header, valueOrRewrite, rewrite) { + const self = this; + + function setHeader(_value, _header, _rewrite) { + const lHeader = normalizeHeader(_header); + + if (!lHeader) { + throw new Error('header name must be a non-empty string'); + } + + const key = utils.findKey(self, lHeader); + + if ( + !key || + self[key] === undefined || + _rewrite === true || + (_rewrite === undefined && self[key] !== false) + ) { + self[key || _header] = normalizeValue(_value); + } + } + + const setHeaders = (headers, _rewrite) => + utils.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); + + if (utils.isPlainObject(header) || header instanceof this.constructor) { + setHeaders(header, valueOrRewrite); + } else if (utils.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { + setHeaders(parseHeaders(header), valueOrRewrite); + } else if (utils.isObject(header) && utils.isIterable(header)) { + let obj = {}, + dest, + key; + for (const entry of header) { + if (!utils.isArray(entry)) { + throw TypeError('Object iterator must return a key-value pair'); + } + + obj[(key = entry[0])] = (dest = obj[key]) + ? utils.isArray(dest) + ? [...dest, entry[1]] + : [dest, entry[1]] + : entry[1]; + } + + setHeaders(obj, valueOrRewrite); + } else { + header != null && setHeader(valueOrRewrite, header, rewrite); + } + + return this; + } + + get(header, parser) { + header = normalizeHeader(header); + + if (header) { + const key = utils.findKey(this, header); + + if (key) { + const value = this[key]; + + if (!parser) { + return value; + } + + if (parser === true) { + return parseTokens(value); + } + + if (utils.isFunction(parser)) { + return parser.call(this, value, key); + } + + if (utils.isRegExp(parser)) { + return parser.exec(value); + } + + throw new TypeError('parser must be boolean|regexp|function'); + } + } + } + + has(header, matcher) { + header = normalizeHeader(header); + + if (header) { + const key = utils.findKey(this, header); + + return !!( + key && + this[key] !== undefined && + (!matcher || matchHeaderValue(this, this[key], key, matcher)) + ); + } + + return false; + } + + delete(header, matcher) { + const self = this; + let deleted = false; + + function deleteHeader(_header) { + _header = normalizeHeader(_header); + + if (_header) { + const key = utils.findKey(self, _header); + + if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { + delete self[key]; + + deleted = true; + } + } + } + + if (utils.isArray(header)) { + header.forEach(deleteHeader); + } else { + deleteHeader(header); + } + + return deleted; + } + + clear(matcher) { + const keys = Object.keys(this); + let i = keys.length; + let deleted = false; + + while (i--) { + const key = keys[i]; + if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { + delete this[key]; + deleted = true; + } + } + + return deleted; + } + + normalize(format) { + const self = this; + const headers = {}; + + utils.forEach(this, (value, header) => { + const key = utils.findKey(headers, header); + + if (key) { + self[key] = normalizeValue(value); + delete self[header]; + return; + } + + const normalized = format ? formatHeader(header) : String(header).trim(); + + if (normalized !== header) { + delete self[header]; + } + + self[normalized] = normalizeValue(value); + + headers[normalized] = true; + }); + + return this; + } + + concat(...targets) { + return this.constructor.concat(this, ...targets); + } + + toJSON(asStrings) { + const obj = Object.create(null); + + utils.forEach(this, (value, header) => { + value != null && + value !== false && + (obj[header] = asStrings && utils.isArray(value) ? value.join(', ') : value); + }); + + return obj; + } + + [Symbol.iterator]() { + return Object.entries(this.toJSON())[Symbol.iterator](); + } + + toString() { + return Object.entries(this.toJSON()) + .map(([header, value]) => header + ': ' + value) + .join('\n'); + } + + getSetCookie() { + return this.get('set-cookie') || []; + } + + get [Symbol.toStringTag]() { + return 'AxiosHeaders'; + } + + static from(thing) { + return thing instanceof this ? thing : new this(thing); + } + + static concat(first, ...targets) { + const computed = new this(first); + + targets.forEach((target) => computed.set(target)); + + return computed; + } + + static accessor(header) { + const internals = + (this[$internals] = + this[$internals] = + { + accessors: {}, + }); + + const accessors = internals.accessors; + const prototype = this.prototype; + + function defineAccessor(_header) { + const lHeader = normalizeHeader(_header); + + if (!accessors[lHeader]) { + buildAccessors(prototype, _header); + accessors[lHeader] = true; + } + } + + utils.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); + + return this; + } +} + +AxiosHeaders.accessor([ + 'Content-Type', + 'Content-Length', + 'Accept', + 'Accept-Encoding', + 'User-Agent', + 'Authorization', +]); + +// reserved names hotfix +utils.reduceDescriptors(AxiosHeaders.prototype, ({ value }, key) => { + let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` + return { + get: () => value, + set(headerValue) { + this[mapped] = headerValue; + }, + }; +}); + +utils.freezeMethods(AxiosHeaders); + +/* harmony default export */ const core_AxiosHeaders = (AxiosHeaders); + ;// CONCATENATED MODULE: ./node_modules/axios/lib/core/AxiosError.js + +const REDACTED = '[REDACTED ****]'; + +function hasOwnOrPrototypeToJSON(source) { + if (utils.hasOwnProp(source, 'toJSON')) { + return true; + } + + let prototype = Object.getPrototypeOf(source); + + while (prototype && prototype !== Object.prototype) { + if (utils.hasOwnProp(prototype, 'toJSON')) { + return true; + } + + prototype = Object.getPrototypeOf(prototype); + } + + return false; +} + +// Build a plain-object snapshot of `config` and replace the value of any key +// (case-insensitive) listed in `redactKeys` with REDACTED. Walks through arrays +// and AxiosHeaders, and short-circuits on circular references. +function redactConfig(config, redactKeys) { + const lowerKeys = new Set(redactKeys.map((k) => String(k).toLowerCase())); + const seen = []; + + const visit = (source) => { + if (source === null || typeof source !== 'object') return source; + if (utils.isBuffer(source)) return source; + if (seen.indexOf(source) !== -1) return undefined; + + if (source instanceof core_AxiosHeaders) { + source = source.toJSON(); + } + + seen.push(source); + + let result; + if (utils.isArray(source)) { + result = []; + source.forEach((v, i) => { + const reducedValue = visit(v); + if (!utils.isUndefined(reducedValue)) { + result[i] = reducedValue; + } + }); + } else { + if (!utils.isPlainObject(source) && hasOwnOrPrototypeToJSON(source)) { + seen.pop(); + return source; + } + + result = Object.create(null); + for (const [key, value] of Object.entries(source)) { + const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value); + if (!utils.isUndefined(reducedValue)) { + result[key] = reducedValue; + } + } + } + + seen.pop(); + return result; + }; + + return visit(config); +} + class AxiosError extends Error { static from(error, code, config, request, response, customProps) { const axiosError = new AxiosError(error.message, code || error.code, config, request, response); @@ -252653,42 +254807,56 @@ class AxiosError extends Error { return axiosError; } - /** - * Create an Error with the specified message, config, error code, request and response. - * - * @param {string} message The error message. - * @param {string} [code] The error code (for example, 'ECONNABORTED'). - * @param {Object} [config] The config. - * @param {Object} [request] The request. - * @param {Object} [response] The response. - * - * @returns {Error} The created error. - */ - constructor(message, code, config, request, response) { - super(message); - - // Make message enumerable to maintain backward compatibility - // The native Error constructor sets message as non-enumerable, - // but axios < v1.13.3 had it as enumerable - Object.defineProperty(this, 'message', { - value: message, - enumerable: true, - writable: true, - configurable: true - }); - - this.name = 'AxiosError'; - this.isAxiosError = true; - code && (this.code = code); - config && (this.config = config); - request && (this.request = request); - if (response) { - this.response = response; - this.status = response.status; - } + /** + * Create an Error with the specified message, config, error code, request and response. + * + * @param {string} message The error message. + * @param {string} [code] The error code (for example, 'ECONNABORTED'). + * @param {Object} [config] The config. + * @param {Object} [request] The request. + * @param {Object} [response] The response. + * + * @returns {Error} The created error. + */ + constructor(message, code, config, request, response) { + super(message); + + // Make message enumerable to maintain backward compatibility + // The native Error constructor sets message as non-enumerable, + // but axios < v1.13.3 had it as enumerable + Object.defineProperty(this, 'message', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: message, + enumerable: true, + writable: true, + configurable: true, + }); + + this.name = 'AxiosError'; + this.isAxiosError = true; + code && (this.code = code); + config && (this.config = config); + request && (this.request = request); + if (response) { + this.response = response; + this.status = response.status; } + } toJSON() { + // Opt-in redaction: when the request config carries a `redact` array, the + // value of any matching key (case-insensitive, at any depth) is replaced + // with REDACTED in the serialized snapshot. Undefined or empty leaves the + // existing serialization behavior unchanged. + const config = this.config; + const redactKeys = config && utils.hasOwnProp(config, 'redact') ? config.redact : undefined; + const serializedConfig = + utils.isArray(redactKeys) && redactKeys.length > 0 + ? redactConfig(config, redactKeys) + : utils.toJSONObject(config); + return { // Standard message: this.message, @@ -252702,7 +254870,7 @@ class AxiosError extends Error { columnNumber: this.columnNumber, stack: this.stack, // Axios - config: utils.toJSONObject(this.config), + config: serializedConfig, code: this.code, status: this.status, }; @@ -252714,6 +254882,7 @@ AxiosError.ERR_BAD_OPTION_VALUE = 'ERR_BAD_OPTION_VALUE'; AxiosError.ERR_BAD_OPTION = 'ERR_BAD_OPTION'; AxiosError.ECONNABORTED = 'ECONNABORTED'; AxiosError.ETIMEDOUT = 'ETIMEDOUT'; +AxiosError.ECONNREFUSED = 'ECONNREFUSED'; AxiosError.ERR_NETWORK = 'ERR_NETWORK'; AxiosError.ERR_FR_TOO_MANY_REDIRECTS = 'ERR_FR_TOO_MANY_REDIRECTS'; AxiosError.ERR_DEPRECATED = 'ERR_DEPRECATED'; @@ -252722,6 +254891,7 @@ AxiosError.ERR_BAD_REQUEST = 'ERR_BAD_REQUEST'; AxiosError.ERR_CANCELED = 'ERR_CANCELED'; AxiosError.ERR_NOT_SUPPORT = 'ERR_NOT_SUPPORT'; AxiosError.ERR_INVALID_URL = 'ERR_INVALID_URL'; +AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED'; /* harmony default export */ const core_AxiosError = (AxiosError); @@ -252850,6 +255020,7 @@ function toFormData(obj, formData, options) { const dots = options.dots; const indexes = options.indexes; const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob); + const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth; const useBlob = _Blob && utils.isSpecCompliantForm(formData); if (!utils.isFunction(visitor)) { @@ -252942,9 +255113,16 @@ function toFormData(obj, formData, options) { isVisitable, }); - function build(value, path) { + function build(value, path, depth = 0) { if (utils.isUndefined(value)) return; + if (depth > maxDepth) { + throw new core_AxiosError( + 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, + core_AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED + ); + } + if (stack.indexOf(value) !== -1) { throw Error('Circular reference detected in ' + path.join('.')); } @@ -252957,7 +255135,7 @@ function toFormData(obj, formData, options) { visitor.call(formData, el, utils.isString(key) ? key.trim() : key, path, exposedHelpers); if (result === true) { - build(el, path ? path.concat(key) : [key]); + build(el, path ? path.concat(key) : [key], depth + 1); } }); @@ -252996,9 +255174,8 @@ function encode(str) { ')': '%29', '~': '%7E', '%20': '+', - '%00': '\x00', }; - return encodeURIComponent(str).replace(/[!'()~]|%20|%00/g, function replacer(match) { + return encodeURIComponent(str).replace(/[!'()~]|%20/g, function replacer(match) { return charMap[match]; }); } @@ -253375,7 +255552,9 @@ function formDataToJSON(formData) { if (isLast) { if (utils.hasOwnProp(target, name)) { - target[name] = [target[name], value]; + target[name] = utils.isArray(target[name]) + ? target[name].concat(value) + : [target[name], value]; } else { target[name] = value; } @@ -253383,7 +255562,7 @@ function formDataToJSON(formData) { return !isNumericKey; } - if (!target[name] || !utils.isObject(target[name])) { + if (!utils.hasOwnProp(target, name) || !utils.isObject(target[name])) { target[name] = []; } @@ -253422,6 +255601,8 @@ function formDataToJSON(formData) { +const own = (obj, key) => (obj != null && utils.hasOwnProp(obj, key) ? obj[key] : undefined); + /** * It takes a string, tries to parse it, and if it fails, it returns the stringified version * of the input @@ -253489,20 +255670,22 @@ const defaults = { let isFileList; if (isObjectPayload) { + const formSerializer = own(this, 'formSerializer'); if (contentType.indexOf('application/x-www-form-urlencoded') > -1) { - return toURLEncodedForm(data, this.formSerializer).toString(); + return toURLEncodedForm(data, formSerializer).toString(); } if ( (isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1 ) { - const _FormData = this.env && this.env.FormData; + const env = own(this, 'env'); + const _FormData = env && env.FormData; return helpers_toFormData( isFileList ? { 'files[]': data } : data, _FormData && new _FormData(), - this.formSerializer + formSerializer ); } } @@ -253518,9 +255701,10 @@ const defaults = { transformResponse: [ function transformResponse(data) { - const transitional = this.transitional || defaults.transitional; + const transitional = own(this, 'transitional') || defaults.transitional; const forcedJSONParsing = transitional && transitional.forcedJSONParsing; - const JSONRequested = this.responseType === 'json'; + const responseType = own(this, 'responseType'); + const JSONRequested = responseType === 'json'; if (utils.isResponse(data) || utils.isReadableStream(data)) { return data; @@ -253529,17 +255713,17 @@ const defaults = { if ( data && utils.isString(data) && - ((forcedJSONParsing && !this.responseType) || JSONRequested) + ((forcedJSONParsing && !responseType) || JSONRequested) ) { const silentJSONParsing = transitional && transitional.silentJSONParsing; const strictJSONParsing = !silentJSONParsing && JSONRequested; try { - return JSON.parse(data, this.parseReviver); + return JSON.parse(data, own(this, 'parseReviver')); } catch (e) { if (strictJSONParsing) { if (e.name === 'SyntaxError') { - throw core_AxiosError.from(e, core_AxiosError.ERR_BAD_RESPONSE, this, null, this.response); + throw core_AxiosError.from(e, core_AxiosError.ERR_BAD_RESPONSE, this, null, own(this, 'response')); } throw e; } @@ -253579,463 +255763,12 @@ const defaults = { }, }; -utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch'], (method) => { +utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query'], (method) => { defaults.headers[method] = {}; }); /* harmony default export */ const lib_defaults = (defaults); -;// CONCATENATED MODULE: ./node_modules/axios/lib/helpers/parseHeaders.js - - - - -// RawAxiosHeaders whose duplicates are ignored by node -// c.f. https://nodejs.org/api/http.html#http_message_headers -const ignoreDuplicateOf = utils.toObjectSet([ - 'age', - 'authorization', - 'content-length', - 'content-type', - 'etag', - 'expires', - 'from', - 'host', - 'if-modified-since', - 'if-unmodified-since', - 'last-modified', - 'location', - 'max-forwards', - 'proxy-authorization', - 'referer', - 'retry-after', - 'user-agent', -]); - -/** - * Parse headers into an object - * - * ``` - * Date: Wed, 27 Aug 2014 08:58:49 GMT - * Content-Type: application/json - * Connection: keep-alive - * Transfer-Encoding: chunked - * ``` - * - * @param {String} rawHeaders Headers needing to be parsed - * - * @returns {Object} Headers parsed into an object - */ -/* harmony default export */ const parseHeaders = ((rawHeaders) => { - const parsed = {}; - let key; - let val; - let i; - - rawHeaders && - rawHeaders.split('\n').forEach(function parser(line) { - i = line.indexOf(':'); - key = line.substring(0, i).trim().toLowerCase(); - val = line.substring(i + 1).trim(); - - if (!key || (parsed[key] && ignoreDuplicateOf[key])) { - return; - } - - if (key === 'set-cookie') { - if (parsed[key]) { - parsed[key].push(val); - } else { - parsed[key] = [val]; - } - } else { - parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; - } - }); - - return parsed; -}); - -;// CONCATENATED MODULE: ./node_modules/axios/lib/core/AxiosHeaders.js - - - - - -const $internals = Symbol('internals'); - -const isValidHeaderValue = (value) => !/[\r\n]/.test(value); - -function assertValidHeaderValue(value, header) { - if (value === false || value == null) { - return; - } - - if (utils.isArray(value)) { - value.forEach((v) => assertValidHeaderValue(v, header)); - return; - } - - if (!isValidHeaderValue(String(value))) { - throw new Error(`Invalid character in header content ["${header}"]`); - } -} - -function normalizeHeader(header) { - return header && String(header).trim().toLowerCase(); -} - -function stripTrailingCRLF(str) { - let end = str.length; - - while (end > 0) { - const charCode = str.charCodeAt(end - 1); - - if (charCode !== 10 && charCode !== 13) { - break; - } - - end -= 1; - } - - return end === str.length ? str : str.slice(0, end); -} - -function normalizeValue(value) { - if (value === false || value == null) { - return value; - } - - return utils.isArray(value) ? value.map(normalizeValue) : stripTrailingCRLF(String(value)); -} - -function parseTokens(str) { - const tokens = Object.create(null); - const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; - let match; - - while ((match = tokensRE.exec(str))) { - tokens[match[1]] = match[2]; - } - - return tokens; -} - -const isValidHeaderName = (str) => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); - -function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { - if (utils.isFunction(filter)) { - return filter.call(this, value, header); - } - - if (isHeaderNameFilter) { - value = header; - } - - if (!utils.isString(value)) return; - - if (utils.isString(filter)) { - return value.indexOf(filter) !== -1; - } - - if (utils.isRegExp(filter)) { - return filter.test(value); - } -} - -function formatHeader(header) { - return header - .trim() - .toLowerCase() - .replace(/([a-z\d])(\w*)/g, (w, char, str) => { - return char.toUpperCase() + str; - }); -} - -function buildAccessors(obj, header) { - const accessorName = utils.toCamelCase(' ' + header); - - ['get', 'set', 'has'].forEach((methodName) => { - Object.defineProperty(obj, methodName + accessorName, { - value: function (arg1, arg2, arg3) { - return this[methodName].call(this, header, arg1, arg2, arg3); - }, - configurable: true, - }); - }); -} - -class AxiosHeaders { - constructor(headers) { - headers && this.set(headers); - } - - set(header, valueOrRewrite, rewrite) { - const self = this; - - function setHeader(_value, _header, _rewrite) { - const lHeader = normalizeHeader(_header); - - if (!lHeader) { - throw new Error('header name must be a non-empty string'); - } - - const key = utils.findKey(self, lHeader); - - if ( - !key || - self[key] === undefined || - _rewrite === true || - (_rewrite === undefined && self[key] !== false) - ) { - assertValidHeaderValue(_value, _header); - self[key || _header] = normalizeValue(_value); - } - } - - const setHeaders = (headers, _rewrite) => - utils.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); - - if (utils.isPlainObject(header) || header instanceof this.constructor) { - setHeaders(header, valueOrRewrite); - } else if (utils.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { - setHeaders(parseHeaders(header), valueOrRewrite); - } else if (utils.isObject(header) && utils.isIterable(header)) { - let obj = {}, - dest, - key; - for (const entry of header) { - if (!utils.isArray(entry)) { - throw TypeError('Object iterator must return a key-value pair'); - } - - obj[(key = entry[0])] = (dest = obj[key]) - ? utils.isArray(dest) - ? [...dest, entry[1]] - : [dest, entry[1]] - : entry[1]; - } - - setHeaders(obj, valueOrRewrite); - } else { - header != null && setHeader(valueOrRewrite, header, rewrite); - } - - return this; - } - - get(header, parser) { - header = normalizeHeader(header); - - if (header) { - const key = utils.findKey(this, header); - - if (key) { - const value = this[key]; - - if (!parser) { - return value; - } - - if (parser === true) { - return parseTokens(value); - } - - if (utils.isFunction(parser)) { - return parser.call(this, value, key); - } - - if (utils.isRegExp(parser)) { - return parser.exec(value); - } - - throw new TypeError('parser must be boolean|regexp|function'); - } - } - } - - has(header, matcher) { - header = normalizeHeader(header); - - if (header) { - const key = utils.findKey(this, header); - - return !!( - key && - this[key] !== undefined && - (!matcher || matchHeaderValue(this, this[key], key, matcher)) - ); - } - - return false; - } - - delete(header, matcher) { - const self = this; - let deleted = false; - - function deleteHeader(_header) { - _header = normalizeHeader(_header); - - if (_header) { - const key = utils.findKey(self, _header); - - if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { - delete self[key]; - - deleted = true; - } - } - } - - if (utils.isArray(header)) { - header.forEach(deleteHeader); - } else { - deleteHeader(header); - } - - return deleted; - } - - clear(matcher) { - const keys = Object.keys(this); - let i = keys.length; - let deleted = false; - - while (i--) { - const key = keys[i]; - if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { - delete this[key]; - deleted = true; - } - } - - return deleted; - } - - normalize(format) { - const self = this; - const headers = {}; - - utils.forEach(this, (value, header) => { - const key = utils.findKey(headers, header); - - if (key) { - self[key] = normalizeValue(value); - delete self[header]; - return; - } - - const normalized = format ? formatHeader(header) : String(header).trim(); - - if (normalized !== header) { - delete self[header]; - } - - self[normalized] = normalizeValue(value); - - headers[normalized] = true; - }); - - return this; - } - - concat(...targets) { - return this.constructor.concat(this, ...targets); - } - - toJSON(asStrings) { - const obj = Object.create(null); - - utils.forEach(this, (value, header) => { - value != null && - value !== false && - (obj[header] = asStrings && utils.isArray(value) ? value.join(', ') : value); - }); - - return obj; - } - - [Symbol.iterator]() { - return Object.entries(this.toJSON())[Symbol.iterator](); - } - - toString() { - return Object.entries(this.toJSON()) - .map(([header, value]) => header + ': ' + value) - .join('\n'); - } - - getSetCookie() { - return this.get('set-cookie') || []; - } - - get [Symbol.toStringTag]() { - return 'AxiosHeaders'; - } - - static from(thing) { - return thing instanceof this ? thing : new this(thing); - } - - static concat(first, ...targets) { - const computed = new this(first); - - targets.forEach((target) => computed.set(target)); - - return computed; - } - - static accessor(header) { - const internals = - (this[$internals] = - this[$internals] = - { - accessors: {}, - }); - - const accessors = internals.accessors; - const prototype = this.prototype; - - function defineAccessor(_header) { - const lHeader = normalizeHeader(_header); - - if (!accessors[lHeader]) { - buildAccessors(prototype, _header); - accessors[lHeader] = true; - } - } - - utils.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); - - return this; - } -} - -AxiosHeaders.accessor([ - 'Content-Type', - 'Content-Length', - 'Accept', - 'Accept-Encoding', - 'User-Agent', - 'Authorization', -]); - -// reserved names hotfix -utils.reduceDescriptors(AxiosHeaders.prototype, ({ value }, key) => { - let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` - return { - get: () => value, - set(headerValue) { - this[mapped] = headerValue; - }, - }; -}); - -utils.freezeMethods(AxiosHeaders); - -/* harmony default export */ const core_AxiosHeaders = (AxiosHeaders); - ;// CONCATENATED MODULE: ./node_modules/axios/lib/core/transformData.js @@ -254116,17 +255849,13 @@ function settle(resolve, reject, response) { if (!response.status || !validateStatus || validateStatus(response.status)) { resolve(response); } else { - reject( - new core_AxiosError( - 'Request failed with status code ' + response.status, - [core_AxiosError.ERR_BAD_REQUEST, core_AxiosError.ERR_BAD_RESPONSE][ - Math.floor(response.status / 100) - 4 - ], - response.config, - response.request, - response - ) - ); + reject(new core_AxiosError( + 'Request failed with status code ' + response.status, + response.status >= 400 && response.status < 500 ? core_AxiosError.ERR_BAD_REQUEST : core_AxiosError.ERR_BAD_RESPONSE, + response.config, + response.request, + response + )); } } @@ -254186,7 +255915,7 @@ function combineURLs(baseURL, relativeURL) { */ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) { let isRelativeUrl = !isAbsoluteURL(requestedURL); - if (baseURL && (isRelativeUrl || allowAbsoluteUrls == false)) { + if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) { return combineURLs(baseURL, requestedURL); } return requestedURL; @@ -254297,6 +256026,8 @@ function getEnv(key) { return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || ''; } +// EXTERNAL MODULE: ./node_modules/axios/node_modules/https-proxy-agent/dist/index.js +var node_modules_https_proxy_agent_dist = __nccwpck_require__(28414); // EXTERNAL MODULE: external "http2" var external_http2_ = __nccwpck_require__(85158); // EXTERNAL MODULE: ./node_modules/follow-redirects/index.js @@ -254304,12 +256035,12 @@ var follow_redirects = __nccwpck_require__(67707); // EXTERNAL MODULE: external "zlib" var external_zlib_ = __nccwpck_require__(59796); ;// CONCATENATED MODULE: ./node_modules/axios/lib/env/data.js -const VERSION = "1.15.0"; +const VERSION = "1.16.1"; ;// CONCATENATED MODULE: ./node_modules/axios/lib/helpers/parseProtocol.js function parseProtocol(url) { - const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url); + const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url); return (match && match[1]) || ''; } @@ -254320,7 +256051,9 @@ function parseProtocol(url) { -const DATA_URL_PATTERN = /^(?:([^;]+);)?(?:[^;]+;)?(base64|),([\s\S]*)$/; +// RFC 2397: data:[][;base64], +// mediatype = type/subtype followed by optional ;name=value parameters +const DATA_URL_PATTERN = /^([^,;]+\/[^,;]+)?((?:;[^,;=]+=[^,;]+)*)(;base64)?,([\s\S]*)$/; /** * Parse data uri to a Buffer or Blob @@ -254349,10 +256082,21 @@ function fromDataURI(uri, asBlob, options) { throw new core_AxiosError('Invalid URL', core_AxiosError.ERR_INVALID_URL); } - const mime = match[1]; - const isBase64 = match[2]; - const body = match[3]; - const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8'); + const type = match[1]; + const params = match[2]; + const encoding = match[3] ? 'base64' : 'utf8'; + const body = match[4]; + + // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII + // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec. + let mime; + if (type) { + mime = params ? type + params : type; + } else if (params) { + mime = 'text/plain' + params; + } + + const buffer = Buffer.from(decodeURIComponent(body), encoding); if (asBlob) { if (!_Blob) { @@ -254570,7 +256314,8 @@ class FormDataPart { if (isStringValue) { value = textEncoder.encode(String(value).replace(/\r?\n|\r\n?/g, CRLF)); } else { - headers += `Content-Type: ${value.type || 'application/octet-stream'}${CRLF}`; + const safeType = String(value.type || 'application/octet-stream').replace(/[\r\n]/g, ''); + headers += `Content-Type: ${safeType}${CRLF}`; } this.headers = textEncoder.encode(headers + CRLF); @@ -254622,7 +256367,7 @@ const formDataToStream = (form, headersHandler, options) => { } if (boundary.length < 1 || boundary.length > 70) { - throw Error('boundary must be 10-70 characters long'); + throw Error('boundary must be 1-70 characters long'); } const boundaryBytes = textEncoder.encode('--' + boundary + CRLF); @@ -254715,6 +256460,53 @@ const callbackify = (fn, reducer) => { /* harmony default export */ const helpers_callbackify = (callbackify); ;// CONCATENATED MODULE: ./node_modules/axios/lib/helpers/shouldBypassProxy.js +const LOOPBACK_HOSTNAMES = new Set(['localhost']); + +const isIPv4Loopback = (host) => { + const parts = host.split('.'); + if (parts.length !== 4) return false; + if (parts[0] !== '127') return false; + return parts.every((p) => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255); +}; + +const isIPv6Loopback = (host) => { + // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1 + // First, strip any leading "::" by normalising with Set lookup of common forms, + // then fall back to structural check. + if (host === '::1') return true; + + // Check IPv4-mapped IPv6 loopback: ::ffff: or ::ffff: + // Node's URL parser normalises ::ffff:127.0.0.1 → ::ffff:7f00:1 + const v4MappedDotted = host.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i); + if (v4MappedDotted) return isIPv4Loopback(v4MappedDotted[1]); + + const v4MappedHex = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i); + if (v4MappedHex) { + const high = parseInt(v4MappedHex[1], 16); + // High 16 bits must start with 127 (0x7f) — i.e. 0x7f00..0x7fff + return high >= 0x7f00 && high <= 0x7fff; + } + + // Full-form ::1 variants: any number of zero groups followed by trailing 1 + // e.g. 0:0:0:0:0:0:0:1, 0000:...:0001 + const groups = host.split(':'); + if (groups.length === 8) { + for (let i = 0; i < 7; i++) { + if (!/^0+$/.test(groups[i])) return false; + } + return /^0*1$/.test(groups[7]); + } + + return false; +}; + +const isLoopback = (host) => { + if (!host) return false; + if (LOOPBACK_HOSTNAMES.has(host)) return true; + if (isIPv4Loopback(host)) return true; + return isIPv6Loopback(host); +}; + const shouldBypassProxy_DEFAULT_PORTS = { http: 80, https: 443, @@ -254757,6 +256549,31 @@ const parseNoProxyEntry = (entry) => { return [entryHost, entryPort]; }; +// Convert IPv4-mapped IPv6 (::ffff:0:0/96 prefix) to IPv4 dotted form so both +// sides of a NO_PROXY comparison see the same canonical address. Without this, +// `NO_PROXY=192.168.1.5` would not match a request to `http://[::ffff:192.168.1.5]/` +// (Node's URL parser normalises that to `[::ffff:c0a8:105]`), and vice-versa, +// allowing the proxy-bypass policy to be circumvented by using the alternate +// representation. Returns the input unchanged when not IPv4-mapped. +const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i; +const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i; + +const unmapIPv4MappedIPv6 = (host) => { + if (typeof host !== 'string' || host.indexOf(':') === -1) return host; + + const dotted = host.match(IPV4_MAPPED_DOTTED_RE); + if (dotted) return dotted[1]; + + const hex = host.match(IPV4_MAPPED_HEX_RE); + if (hex) { + const high = parseInt(hex[1], 16); + const low = parseInt(hex[2], 16); + return `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`; + } + + return host; +}; + const normalizeNoProxyHost = (hostname) => { if (!hostname) { return hostname; @@ -254766,7 +256583,7 @@ const normalizeNoProxyHost = (hostname) => { hostname = hostname.slice(1, -1); } - return hostname.replace(/\.+$/, ''); + return unmapIPv4MappedIPv6(hostname.replace(/\.+$/, '')); }; function shouldBypassProxy(location) { @@ -254818,7 +256635,7 @@ function shouldBypassProxy(location) { return hostname.endsWith(entryHost); } - return hostname === entryHost; + return hostname === entryHost || (isLoopback(hostname) && isLoopback(entryHost)); }); } @@ -254935,13 +256752,16 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => { const _speedometer = helpers_speedometer(50, 250); return helpers_throttle((e) => { - const loaded = e.loaded; + if (!e || typeof e.loaded !== 'number') { + return; + } + const rawLoaded = e.loaded; const total = e.lengthComputable ? e.total : undefined; - const progressBytes = loaded - bytesNotified; + const loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded; + const progressBytes = Math.max(0, loaded - bytesNotified); const rate = _speedometer(progressBytes); - const inRange = loaded <= total; - bytesNotified = loaded; + bytesNotified = Math.max(bytesNotified, loaded); const data = { loaded, @@ -254949,7 +256769,7 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => { progress: total ? loaded / total : undefined, bytes: progressBytes, rate: rate ? rate : undefined, - estimated: rate && total && inRange ? (total - loaded) / rate : undefined, + estimated: rate && total ? (total - loaded) / rate : undefined, event: e, lengthComputable: total != null, [isDownloadStream ? 'download' : 'upload']: true, @@ -255050,7 +256870,34 @@ function estimateDataURLDecodedBytes(url) { return bytes > 0 ? bytes : 0; } - return Buffer.byteLength(body, 'utf8'); + if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') { + return Buffer.byteLength(body, 'utf8'); + } + + // Compute UTF-8 byte length directly from UTF-16 code units without allocating + // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies). + // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit + // but 3 UTF-8 bytes). + let bytes = 0; + for (let i = 0, len = body.length; i < len; i++) { + const c = body.charCodeAt(i); + if (c < 0x80) { + bytes += 1; + } else if (c < 0x800) { + bytes += 2; + } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < len) { + const next = body.charCodeAt(i + 1); + if (next >= 0xdc00 && next <= 0xdfff) { + bytes += 4; + i++; + } else { + bytes += 3; + } + } else { + bytes += 3; + } + } + return bytes; } ;// CONCATENATED MODULE: ./node_modules/axios/lib/adapters/http.js @@ -255079,6 +256926,9 @@ function estimateDataURLDecodedBytes(url) { + + + @@ -255098,11 +256948,85 @@ const isBrotliSupported = utils.isFunction(external_zlib_.createBrotliDecompress const { http: httpFollow, https: httpsFollow } = follow_redirects; const http_isHttps = /https:?/; +const FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length']; + +function setFormDataHeaders(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +// Symbols used to bind a single 'error' listener to a pooled socket and track +// the request currently owning that socket across keep-alive reuse (issue #10780). +const kAxiosSocketListener = Symbol('axios.http.socketListener'); +const kAxiosCurrentReq = Symbol('axios.http.currentReq'); + +// Tags HttpsProxyAgent instances installed by setProxy() so the redirect path +// can strip them without clobbering a user-supplied agent that happens to be +// an HttpsProxyAgent. +const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel'); + +// Cache of CONNECT-tunneling agents keyed by proxy config so repeat requests +// through the same proxy reuse a single agent (and its socket pool). The +// keyspace is bounded by the set of distinct proxy configs the process uses, +// so unbounded growth is not a concern in practice. +const tunnelingAgentCache = new Map(); +const tunnelingAgentCacheUser = new WeakMap(); + +function getTunnelingAgent(agentOptions, userHttpsAgent) { + const key = + agentOptions.protocol + + '//' + + agentOptions.hostname + + ':' + + (agentOptions.port || '') + + '#' + + (agentOptions.auth || ''); + const cache = userHttpsAgent + ? (tunnelingAgentCacheUser.get(userHttpsAgent) || + tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent)) + : tunnelingAgentCache; + let agent = cache.get(key); + if (agent) return agent; + // Forward the user's TLS options (custom CA, rejectUnauthorized, client cert, + // etc.) into the tunneling agent so they apply to the origin TLS upgrade + // performed after CONNECT. Our proxy fields take precedence on conflict. + const merged = userHttpsAgent && userHttpsAgent.options + ? { ...userHttpsAgent.options, ...agentOptions } + : agentOptions; + agent = new node_modules_https_proxy_agent_dist(merged); + agent[kAxiosInstalledTunnel] = true; + cache.set(key, agent); + return agent; +} const supportedProtocols = lib_platform.protocols.map((protocol) => { return protocol + ':'; }); +// Node's WHATWG URL parser returns `username` and `password` percent-encoded. +// Decode before composing the `auth` option so credentials such as +// `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the +// original value for malformed input so a bad encoding never throws. +const decodeURIComponentSafe = (value) => { + if (!utils.isString(value)) { + return value; + } + + try { + return decodeURIComponent(value); + } catch (error) { + return value; + } +}; + const flushOnFinish = (stream, [throttled, flush]) => { stream.on('end', flush).on('error', flush); @@ -255222,12 +257146,12 @@ const http2Sessions = new Http2Sessions(); * * @returns {Object} */ -function dispatchBeforeRedirect(options, responseDetails) { +function dispatchBeforeRedirect(options, responseDetails, requestDetails) { if (options.beforeRedirects.proxy) { options.beforeRedirects.proxy(options); } if (options.beforeRedirects.config) { - options.beforeRedirects.config(options, responseDetails); + options.beforeRedirects.config(options, responseDetails, requestDetails); } } @@ -255240,7 +257164,7 @@ function dispatchBeforeRedirect(options, responseDetails) { * * @returns {http.ClientRequestArgs} */ -function setProxy(options, configProxy, location) { +function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) { let proxy = configProxy; if (!proxy && proxy !== false) { const proxyUrl = getProxyForUrl(location); @@ -255250,43 +257174,150 @@ function setProxy(options, configProxy, location) { } } } + // On redirect re-invocation, strip any stale Proxy-Authorization header carried + // over from the prior request (e.g. new target no longer uses a proxy, or uses + // a different proxy). Skip on the initial request so user-supplied headers are + // preserved. Header names are case-insensitive, so remove every case variant. + if (isRedirect && options.headers) { + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'proxy-authorization') { + delete options.headers[name]; + } + } + } + // Strip any tunneling agent we installed for the previous hop so a redirect + // that drops the proxy or crosses an HTTPS↔HTTP boundary doesn't reuse a + // stale one. Match on our Symbol marker so a user-supplied HttpsProxyAgent + // (which won't carry the marker) is left alone. + if (isRedirect && options.agent && options.agent[kAxiosInstalledTunnel]) { + options.agent = undefined; + } if (proxy) { + // Read proxy fields without traversing the prototype chain. URL instances expose + // username/password/hostname/host/port/protocol via getters on URL.prototype (so + // direct reads are shielded), but plain object proxies — and the `auth` field + // (which URL does not expose) — must be guarded so a polluted Object.prototype + // (e.g. Object.prototype.auth = { username, password }) cannot inject + // attacker-controlled credentials into the Proxy-Authorization header or + // redirect proxying to an attacker-controlled host. + const isProxyURL = proxy instanceof URL; + const readProxyField = (key) => + isProxyURL || utils.hasOwnProp(proxy, key) ? proxy[key] : undefined; + + const proxyUsername = readProxyField('username'); + const proxyPassword = readProxyField('password'); + let proxyAuth = utils.hasOwnProp(proxy, 'auth') ? proxy.auth : undefined; + // Basic proxy authorization - if (proxy.username) { - proxy.auth = (proxy.username || '') + ':' + (proxy.password || ''); + if (proxyUsername) { + proxyAuth = (proxyUsername || '') + ':' + (proxyPassword || ''); } - if (proxy.auth) { - // Support proxy auth object form - const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password); + if (proxyAuth) { + // Support proxy auth object form. Read sub-fields via own-prop checks so a + // plain object inheriting from polluted Object.prototype cannot leak creds. + const authIsObject = typeof proxyAuth === 'object'; + const authUsername = + authIsObject && utils.hasOwnProp(proxyAuth, 'username') ? proxyAuth.username : undefined; + const authPassword = + authIsObject && utils.hasOwnProp(proxyAuth, 'password') ? proxyAuth.password : undefined; + const validProxyAuth = Boolean(authUsername || authPassword); if (validProxyAuth) { - proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || ''); - } else if (typeof proxy.auth === 'object') { + proxyAuth = (authUsername || '') + ':' + (authPassword || ''); + } else if (authIsObject) { throw new core_AxiosError('Invalid proxy authorization', core_AxiosError.ERR_BAD_OPTION, { proxy }); } - - const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64'); - - options.headers['Proxy-Authorization'] = 'Basic ' + base64; } - options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); - const proxyHost = proxy.hostname || proxy.host; - options.hostname = proxyHost; - // Replace 'host' since options is not a URL object - options.host = proxyHost; - options.port = proxy.port; - options.path = location; - if (proxy.protocol) { - options.protocol = proxy.protocol.includes(':') ? proxy.protocol : `${proxy.protocol}:`; + const targetIsHttps = http_isHttps.test(options.protocol); + + if (targetIsHttps) { + // CONNECT-tunneling path for HTTPS targets. Preserves end-to-end TLS to + // the origin so the proxy cannot inspect the URL, headers, or body — the + // behavior already promised by THREATMODEL.md (T-R9). HttpsProxyAgent + // sends Proxy-Authorization on the CONNECT request only, never on the + // wrapped TLS request, which is why we don't stamp it onto + // options.headers here. If the user already supplied an HttpsProxyAgent, + // they own tunneling end-to-end and we leave them alone; otherwise we + // install our own tunneling agent and forward their TLS options (if any) + // so a custom httpsAgent for cert pinning / rejectUnauthorized still + // applies to the origin TLS upgrade. + if (!(configHttpsAgent instanceof node_modules_https_proxy_agent_dist)) { + const proxyHost = readProxyField('hostname') || readProxyField('host'); + const proxyPort = readProxyField('port'); + const rawProxyProtocol = readProxyField('protocol'); + const normalizedProtocol = rawProxyProtocol + ? rawProxyProtocol.includes(':') + ? rawProxyProtocol + : `${rawProxyProtocol}:` + : 'http:'; + // Bracket IPv6 literals for URL parsing; URL.hostname strips the + // brackets again on read so the agent receives the raw form. + const proxyHostForURL = + proxyHost && proxyHost.includes(':') && !proxyHost.startsWith('[') + ? `[${proxyHost}]` + : proxyHost; + const proxyURL = new URL( + `${normalizedProtocol}//${proxyHostForURL}${proxyPort ? ':' + proxyPort : ''}` + ); + const agentOptions = { + protocol: proxyURL.protocol, + hostname: proxyURL.hostname.replace(/^\[|\]$/g, ''), + port: proxyURL.port, + auth: proxyAuth && typeof proxyAuth === 'string' ? proxyAuth : undefined, + }; + if (proxyURL.protocol === 'https:') { + agentOptions.ALPNProtocols = ['http/1.1']; + } + const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent); + // Set both: `options.agent` is consumed by the native https.request path + // (config.maxRedirects === 0); `options.agents.https` is consumed by + // follow-redirects, which ignores `options.agent` when `options.agents` + // is present. + options.agent = tunnelingAgent; + if (options.agents) { + options.agents.https = tunnelingAgent; + } + } + } else { + // Forward-proxy mode for plaintext HTTP targets. The request line carries + // the absolute URL and the proxy sees everything — acceptable for plain + // HTTP since the wire was already plaintext. + if (proxyAuth) { + const base64 = Buffer.from(proxyAuth, 'utf8').toString('base64'); + options.headers['Proxy-Authorization'] = 'Basic ' + base64; + } + + // Preserve a user-supplied Host header (case-insensitive) so callers can override + // the value forwarded to the proxy; otherwise default to the request URL's host. + let hasUserHostHeader = false; + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'host') { + hasUserHostHeader = true; + break; + } + } + if (!hasUserHostHeader) { + options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); + } + const proxyHost = readProxyField('hostname') || readProxyField('host'); + options.hostname = proxyHost; + // Replace 'host' since options is not a URL object + options.host = proxyHost; + options.port = readProxyField('port'); + options.path = location; + const proxyProtocol = readProxyField('protocol'); + if (proxyProtocol) { + options.protocol = proxyProtocol.includes(':') ? proxyProtocol : `${proxyProtocol}:`; + } } } options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) { // Configure proxy for redirected request, passing the original config proxy to apply // the exact same logic as if the redirected request was performed by axios directly. - setProxy(redirectOptions, configProxy, redirectOptions.href); + setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent); }; } @@ -255385,12 +257416,20 @@ const http2Transport = { /* harmony default export */ const adapters_http = (isHttpAdapterSupported && function httpAdapter(config) { return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) { - let { data, lookup, family, httpVersion = 1, http2Options } = config; - const { responseType, responseEncoding } = config; + const own = (key) => (utils.hasOwnProp(config, key) ? config[key] : undefined); + let data = own('data'); + let lookup = own('lookup'); + let family = own('family'); + let httpVersion = own('httpVersion'); + if (httpVersion === undefined) httpVersion = 1; + let http2Options = own('http2Options'); + const responseType = own('responseType'); + const responseEncoding = own('responseEncoding'); const method = config.method.toUpperCase(); let isDone; let rejected = false; let req; + let connectPhaseTimer; httpVersion = +httpVersion; @@ -255435,9 +257474,34 @@ const http2Transport = { } } + function clearConnectPhaseTimer() { + if (connectPhaseTimer) { + clearTimeout(connectPhaseTimer); + connectPhaseTimer = null; + } + } + + function createTimeoutError() { + let timeoutErrorMessage = config.timeout + ? 'timeout of ' + config.timeout + 'ms exceeded' + : 'timeout exceeded'; + const transitional = config.transitional || defaults_transitional; + if (config.timeoutErrorMessage) { + timeoutErrorMessage = config.timeoutErrorMessage; + } + return new core_AxiosError( + timeoutErrorMessage, + transitional.clarifyTimeoutError ? core_AxiosError.ETIMEDOUT : core_AxiosError.ECONNABORTED, + config, + req + ); + } + abortEmitter.once('abort', reject); const onFinished = () => { + clearConnectPhaseTimer(); + if (config.cancelToken) { config.cancelToken.unsubscribe(abort); } @@ -255458,6 +257522,7 @@ const http2Transport = { onDone((response, isRejected) => { isDone = true; + clearConnectPhaseTimer(); if (isRejected) { rejected = true; @@ -255572,8 +257637,12 @@ const http2Transport = { } ); // support for https://www.npmjs.com/package/form-data api - } else if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) { - headers.set(data.getHeaders()); + } else if ( + utils.isFormData(data) && + utils.isFunction(data.getHeaders) && + data.getHeaders !== Object.prototype.getHeaders + ) { + setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy')); if (!headers.hasContentLength()) { try { @@ -255658,15 +257727,16 @@ const http2Transport = { // HTTP basic authentication let auth = undefined; - if (config.auth) { - const username = config.auth.username || ''; - const password = config.auth.password || ''; + const configAuth = own('auth'); + if (configAuth) { + const username = configAuth.username || ''; + const password = configAuth.password || ''; auth = username + ':' + password; } if (!auth && parsed.username) { - const urlUsername = parsed.username; - const urlPassword = parsed.password; + const urlUsername = decodeURIComponentSafe(parsed.username); + const urlPassword = decodeURIComponentSafe(parsed.password); auth = urlUsername + ':' + urlPassword; } @@ -255694,23 +257764,52 @@ const http2Transport = { false ); - const options = { + // Null-prototype to block prototype pollution gadgets on properties read + // directly by Node's http.request (e.g. insecureHTTPParser, lookup). + const options = Object.assign(Object.create(null), { path, method: method, - headers: headers.toJSON(), + headers: toByteStringHeaderObject(headers), agents: { http: config.httpAgent, https: config.httpsAgent }, auth, protocol, family, beforeRedirect: dispatchBeforeRedirect, - beforeRedirects: {}, + beforeRedirects: Object.create(null), http2Options, - }; + }); // cacheable-lookup integration hotfix !utils.isUndefined(lookup) && (options.lookup = lookup); if (config.socketPath) { + if (typeof config.socketPath !== 'string') { + return reject( + new core_AxiosError('socketPath must be a string', core_AxiosError.ERR_BAD_OPTION_VALUE, config) + ); + } + + if (config.allowedSocketPaths != null) { + const allowed = Array.isArray(config.allowedSocketPaths) + ? config.allowedSocketPaths + : [config.allowedSocketPaths]; + + const resolvedSocket = (0,external_path_.resolve)(config.socketPath); + const isAllowed = allowed.some( + (entry) => typeof entry === 'string' && (0,external_path_.resolve)(entry) === resolvedSocket + ); + + if (!isAllowed) { + return reject( + new core_AxiosError( + `socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`, + core_AxiosError.ERR_BAD_OPTION_VALUE, + config + ) + ); + } + } + options.socketPath = config.socketPath; } else { options.hostname = parsed.hostname.startsWith('[') @@ -255720,26 +257819,36 @@ const http2Transport = { setProxy( options, config.proxy, - protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path + protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, + false, + config.httpsAgent ); } let transport; + let isNativeTransport = false; const isHttpsRequest = http_isHttps.test(options.protocol); - options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an + // HTTPS target. + if (options.agent == null) { + options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + } if (isHttp2) { transport = http2Transport; } else { - if (config.transport) { - transport = config.transport; + const configTransport = own('transport'); + if (configTransport) { + transport = configTransport; } else if (config.maxRedirects === 0) { transport = isHttpsRequest ? external_https_ : external_http_; + isNativeTransport = true; } else { if (config.maxRedirects) { options.maxRedirects = config.maxRedirects; } - if (config.beforeRedirect) { - options.beforeRedirects.config = config.beforeRedirect; + const configBeforeRedirect = own('beforeRedirect'); + if (configBeforeRedirect) { + options.beforeRedirects.config = configBeforeRedirect; } transport = isHttpsRequest ? httpsFollow : httpFollow; } @@ -255752,12 +257861,15 @@ const http2Transport = { options.maxBodyLength = Infinity; } - if (config.insecureHTTPParser) { - options.insecureHTTPParser = config.insecureHTTPParser; - } + // Always set an explicit own value so a polluted + // Object.prototype.insecureHTTPParser cannot enable the lenient parser + // through Node's internal options copy + options.insecureHTTPParser = Boolean(own('insecureHTTPParser')); // Create the request req = transport.request(options, function handleResponse(res) { + clearConnectPhaseTimer(); + if (req.destroyed) return; const streams = [res]; @@ -255838,6 +257950,30 @@ const http2Transport = { }; if (responseType === 'stream') { + // Enforce maxContentLength on streamed responses; previously this + // was applied only to buffered responses. + if (config.maxContentLength > -1) { + const limit = config.maxContentLength; + const source = responseStream; + async function* enforceMaxContentLength() { + let totalResponseBytes = 0; + for await (const chunk of source) { + totalResponseBytes += chunk.length; + if (totalResponseBytes > limit) { + throw new core_AxiosError( + 'maxContentLength size of ' + limit + ' exceeded', + core_AxiosError.ERR_BAD_RESPONSE, + config, + lastRequest + ); + } + yield chunk; + } + } + responseStream = external_stream_.Readable.from(enforceMaxContentLength(), { + objectMode: false, + }); + } response.data = responseStream; settle(resolve, reject, response); } else { @@ -255873,15 +258009,16 @@ const http2Transport = { 'stream has been aborted', core_AxiosError.ERR_BAD_RESPONSE, config, - lastRequest + lastRequest, + response ); responseStream.destroy(err); reject(err); }); responseStream.on('error', function handleStreamError(err) { - if (req.destroyed) return; - reject(core_AxiosError.from(err, null, config, lastRequest)); + if (rejected) return; + reject(core_AxiosError.from(err, null, config, lastRequest, response)); }); responseStream.on('end', function handleStreamEnd() { @@ -255924,9 +258061,48 @@ const http2Transport = { }); // set tcp keep alive to prevent drop connection by peer + // Track every socket bound to this outer RedirectableRequest so a single + // 'close' listener can release ownership on all of them. follow-redirects + // re-emits the 'socket' event for each hop's native request onto the same + // outer request, so attaching per-request listeners inside this handler + // would accumulate across hops and trigger MaxListenersExceededWarning at + // >= 11 redirects. Clearing only the last-bound socket would leave stale + // kAxiosCurrentReq refs on earlier hop sockets returned to the keep-alive + // pool, causing an idle-pool 'error' to be attributed to a closed req. + const boundSockets = new Set(); + req.on('socket', function handleRequestSocket(socket) { // default interval of sending ack packet is 1 minute socket.setKeepAlive(true, 1000 * 60); + + // Install a single 'error' listener per socket (not per request) to avoid + // accumulating listeners on pooled keep-alive sockets that get reassigned + // to new requests before the previous request's 'close' fires (issue #10780). + // The listener is bound to the socket's currently-active request via a + // symbol, which is swapped as the socket is reassigned. + if (!socket[kAxiosSocketListener]) { + socket.on('error', function handleSocketError(err) { + const current = socket[kAxiosCurrentReq]; + if (current && !current.destroyed) { + current.destroy(err); + } + }); + socket[kAxiosSocketListener] = true; + } + + socket[kAxiosCurrentReq] = req; + boundSockets.add(socket); + }); + + req.once('close', function clearCurrentReq() { + clearConnectPhaseTimer(); + + for (const socket of boundSockets) { + if (socket[kAxiosCurrentReq] === req) { + socket[kAxiosCurrentReq] = null; + } + } + boundSockets.clear(); }); // Handle request timeout @@ -255947,29 +258123,24 @@ const http2Transport = { return; } + const handleTimeout = function handleTimeout() { + if (isDone) return; + abort(createTimeoutError()); + }; + + if (isNativeTransport && timeout > 0) { + // Native ClientRequest#setTimeout starts from the socket lifecycle and + // may not fire while TCP connect is still pending. Mirror the + // follow-redirects wall-clock timer for the maxRedirects === 0 path. + connectPhaseTimer = setTimeout(handleTimeout, timeout); + } + // Sometime, the response will be very slow, and does not respond, the connect event will be block by event loop system. // And timer callback will be fired, and abort() will be invoked before connection, then get "socket hang up" and code ECONNRESET. // At this time, if we have a large number of request, nodejs will hang up some socket on background. and the number will up and up. // And then these socket which be hang up will devouring CPU little by little. // ClientRequest.setTimeout will be fired on the specify milliseconds, and can make sure that abort() will be fired after connect. - req.setTimeout(timeout, function handleRequestTimeout() { - if (isDone) return; - let timeoutErrorMessage = config.timeout - ? 'timeout of ' + config.timeout + 'ms exceeded' - : 'timeout exceeded'; - const transitional = config.transitional || defaults_transitional; - if (config.timeoutErrorMessage) { - timeoutErrorMessage = config.timeoutErrorMessage; - } - abort( - new core_AxiosError( - timeoutErrorMessage, - transitional.clarifyTimeoutError ? core_AxiosError.ETIMEDOUT : core_AxiosError.ECONNABORTED, - config, - req - ) - ); - }); + req.setTimeout(timeout, handleTimeout); } else { // explicitly reset the socket timeout value for a possible `keep-alive` request req.setTimeout(0); @@ -255995,7 +258166,41 @@ const http2Transport = { } }); - data.pipe(req); + // Enforce maxBodyLength for streamed uploads on the native http/https + // transport (maxRedirects === 0); follow-redirects enforces it on the + // other path. + let uploadStream = data; + if (config.maxBodyLength > -1 && config.maxRedirects === 0) { + const limit = config.maxBodyLength; + let bytesSent = 0; + uploadStream = external_stream_.pipeline( + [ + data, + new external_stream_.Transform({ + transform(chunk, _enc, cb) { + bytesSent += chunk.length; + if (bytesSent > limit) { + return cb( + new core_AxiosError( + 'Request body larger than maxBodyLength limit', + core_AxiosError.ERR_BAD_REQUEST, + config, + req + ) + ); + } + cb(null, chunk); + }, + }), + ], + utils.noop + ); + uploadStream.on('error', (err) => { + if (!req.destroyed) req.destroy(err); + }); + } + + uploadStream.pipe(req); } else { data && req.write(data); req.end(); @@ -256056,8 +258261,20 @@ const __setProxy = (/* unused pure expression or super */ null && (setProxy)); read(name) { if (typeof document === 'undefined') return null; - const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)')); - return match ? decodeURIComponent(match[1]) : null; + // Match name=value by splitting on the semicolon separator instead of building a + // RegExp from `name` — interpolating an unescaped string into a RegExp would let + // metacharacters (e.g. `.+?` in an attacker-influenced cookie name) cause ReDoS or + // match the wrong cookie. Browsers may serialize cookie pairs as either ";" or + // "; ", so ignore optional whitespace before each cookie name. + const cookies = document.cookie.split(';'); + for (let i = 0; i < cookies.length; i++) { + const cookie = cookies[i].replace(/^\s+/, ''); + const eq = cookie.indexOf('='); + if (eq !== -1 && cookie.slice(0, eq) === name) { + return decodeURIComponent(cookie.slice(eq + 1)); + } + } + return null; }, remove(name) { @@ -256093,7 +258310,21 @@ const headersToObject = (thing) => (thing instanceof core_AxiosHeaders ? { ...th function mergeConfig(config1, config2) { // eslint-disable-next-line no-param-reassign config2 = config2 || {}; - const config = {}; + + // Use a null-prototype object so that downstream reads such as `config.auth` + // or `config.baseURL` cannot inherit polluted values from Object.prototype. + // `hasOwnProperty` is restored as a non-enumerable own slot to preserve + // ergonomics for user code that relies on it. + const config = Object.create(null); + Object.defineProperty(config, 'hasOwnProperty', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: Object.prototype.hasOwnProperty, + enumerable: false, + writable: true, + configurable: true, + }); function getMergedValue(target, source, prop, caseless) { if (utils.isPlainObject(target) && utils.isPlainObject(source)) { @@ -256132,9 +258363,9 @@ function mergeConfig(config1, config2) { // eslint-disable-next-line consistent-return function mergeDirectKeys(a, b, prop) { - if (prop in config2) { + if (utils.hasOwnProp(config2, prop)) { return getMergedValue(a, b); - } else if (prop in config1) { + } else if (utils.hasOwnProp(config1, prop)) { return getMergedValue(undefined, a); } } @@ -256166,6 +258397,7 @@ function mergeConfig(config1, config2) { httpsAgent: defaultToConfig2, cancelToken: defaultToConfig2, socketPath: defaultToConfig2, + allowedSocketPaths: defaultToConfig2, responseEncoding: defaultToConfig2, validateStatus: mergeDirectKeys, headers: (a, b, prop) => @@ -256175,7 +258407,9 @@ function mergeConfig(config1, config2) { utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) { if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') return; const merge = utils.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : mergeDeepProperties; - const configValue = merge(config1[prop], config2[prop], prop); + const a = utils.hasOwnProp(config1, prop) ? config1[prop] : undefined; + const b = utils.hasOwnProp(config2, prop) ? config2[prop] : undefined; + const configValue = merge(a, b, prop); (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue); }); @@ -256192,15 +258426,55 @@ function mergeConfig(config1, config2) { +const resolveConfig_FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length']; + +function resolveConfig_setFormDataHeaders(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + + Object.entries(formHeaders).forEach(([key, val]) => { + if (resolveConfig_FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +/** + * Encode a UTF-8 string to a Latin-1 byte string for use with btoa(). + * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern. + * + * @param {string} str The string to encode + * + * @returns {string} UTF-8 bytes as a Latin-1 string + */ +const encodeUTF8 = (str) => + encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => + String.fromCharCode(parseInt(hex, 16)) + ); + /* harmony default export */ const resolveConfig = ((config) => { const newConfig = mergeConfig({}, config); - let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig; + // Read only own properties to prevent prototype pollution gadgets + // (e.g. Object.prototype.baseURL = 'https://evil.com'). + const own = (key) => (utils.hasOwnProp(newConfig, key) ? newConfig[key] : undefined); + + const data = own('data'); + let withXSRFToken = own('withXSRFToken'); + const xsrfHeaderName = own('xsrfHeaderName'); + const xsrfCookieName = own('xsrfCookieName'); + let headers = own('headers'); + const auth = own('auth'); + const baseURL = own('baseURL'); + const allowAbsoluteUrls = own('allowAbsoluteUrls'); + const url = own('url'); newConfig.headers = headers = core_AxiosHeaders.from(headers); newConfig.url = buildURL( - buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), + buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer ); @@ -256210,11 +258484,7 @@ function mergeConfig(config1, config2) { headers.set( 'Authorization', 'Basic ' + - btoa( - (auth.username || '') + - ':' + - (auth.password ? unescape(encodeURIComponent(auth.password)) : '') - ) + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : '')) ); } @@ -256223,14 +258493,7 @@ function mergeConfig(config1, config2) { headers.setContentType(undefined); // browser handles it } else if (utils.isFunction(data.getHeaders)) { // Node.js FormData (like form-data package) - const formHeaders = data.getHeaders(); - // Only set safe headers to avoid overwriting security headers - const allowedHeaders = ['content-type', 'content-length']; - Object.entries(formHeaders).forEach(([key, val]) => { - if (allowedHeaders.includes(key.toLowerCase())) { - headers.set(key, val); - } - }); + resolveConfig_setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy')); } } @@ -256239,10 +258502,17 @@ function mergeConfig(config1, config2) { // Specifically not if we're in a web worker, or react-native. if (lib_platform.hasStandardBrowserEnv) { - withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig)); + if (utils.isFunction(withXSRFToken)) { + withXSRFToken = withXSRFToken(newConfig); + } + + // Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1) + // and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking + // the XSRF token cross-origin. + const shouldSendXSRF = + withXSRFToken === true || (withXSRFToken == null && isURLSameOrigin(newConfig.url)); - if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(newConfig.url))) { - // Add xsrf header + if (shouldSendXSRF) { const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName); if (xsrfValue) { @@ -256266,6 +258536,7 @@ function mergeConfig(config1, config2) { + const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; /* harmony default export */ const xhr = (isXHRAdapterSupported && @@ -256348,7 +258619,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; // will return status as 0 even though it's a successful request if ( request.status === 0 && - !(request.responseURL && request.responseURL.indexOf('file:') === 0) + !(request.responseURL && request.responseURL.startsWith('file:')) ) { return; } @@ -256365,6 +258636,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; } reject(new core_AxiosError('Request aborted', core_AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -256380,6 +258652,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; // attach the underlying event for consumers who want details err.event = event || null; reject(err); + done(); request = null; }; @@ -256400,6 +258673,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; request ) ); + done(); // Clean up request request = null; @@ -256410,7 +258684,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; // Add headers to the request if ('setRequestHeader' in request) { - utils.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) { + utils.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) { request.setRequestHeader(key, val); }); } @@ -256449,6 +258723,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; } reject(!cancel || cancel.type ? new cancel_CanceledError(null, config, request) : cancel); request.abort(); + done(); request = null; }; @@ -256462,7 +258737,7 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; const protocol = parseProtocol(_config.url); - if (protocol && lib_platform.protocols.indexOf(protocol) === -1) { + if (protocol && !lib_platform.protocols.includes(protocol)) { reject( new core_AxiosError( 'Unsupported protocol ' + protocol + ':', @@ -256484,54 +258759,55 @@ const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; const composeSignals = (signals, timeout) => { - const { length } = (signals = signals ? signals.filter(Boolean) : []); - - if (timeout || length) { - let controller = new AbortController(); - - let aborted; - - const onabort = function (reason) { - if (!aborted) { - aborted = true; - unsubscribe(); - const err = reason instanceof Error ? reason : this.reason; - controller.abort( - err instanceof core_AxiosError - ? err - : new cancel_CanceledError(err instanceof Error ? err.message : err) - ); - } - }; + signals = signals ? signals.filter(Boolean) : []; - let timer = - timeout && - setTimeout(() => { - timer = null; - onabort(new core_AxiosError(`timeout of ${timeout}ms exceeded`, core_AxiosError.ETIMEDOUT)); - }, timeout); + if (!timeout && !signals.length) { + return; + } - const unsubscribe = () => { - if (signals) { - timer && clearTimeout(timer); - timer = null; - signals.forEach((signal) => { - signal.unsubscribe - ? signal.unsubscribe(onabort) - : signal.removeEventListener('abort', onabort); - }); - signals = null; - } - }; + const controller = new AbortController(); + + let aborted = false; + + const onabort = function (reason) { + if (!aborted) { + aborted = true; + unsubscribe(); + const err = reason instanceof Error ? reason : this.reason; + controller.abort( + err instanceof core_AxiosError + ? err + : new cancel_CanceledError(err instanceof Error ? err.message : err) + ); + } + }; + + let timer = + timeout && + setTimeout(() => { + timer = null; + onabort(new core_AxiosError(`timeout of ${timeout}ms exceeded`, core_AxiosError.ETIMEDOUT)); + }, timeout); + + const unsubscribe = () => { + if (!signals) { return; } + timer && clearTimeout(timer); + timer = null; + signals.forEach((signal) => { + signal.unsubscribe + ? signal.unsubscribe(onabort) + : signal.removeEventListener('abort', onabort); + }); + signals = null; + }; - signals.forEach((signal) => signal.addEventListener('abort', onabort)); + signals.forEach((signal) => signal.addEventListener('abort', onabort)); - const { signal } = controller; + const { signal } = controller; - signal.unsubscribe = () => utils.asap(unsubscribe); + signal.unsubscribe = () => utils.asap(unsubscribe); - return signal; - } + return signal; }; /* harmony default export */ const helpers_composeSignals = (composeSignals); @@ -256638,16 +258914,12 @@ const trackStream = (stream, chunkSize, onProgress, onFinish) => { -const DEFAULT_CHUNK_SIZE = 64 * 1024; -const { isFunction: fetch_isFunction } = utils; -const globalFetchAPI = (({ Request, Response }) => ({ - Request, - Response, -}))(utils.global); -const { ReadableStream: fetch_ReadableStream, TextEncoder: fetch_TextEncoder } = utils.global; +const DEFAULT_CHUNK_SIZE = 64 * 1024; + +const { isFunction: fetch_isFunction } = utils; const test = (fn, ...args) => { try { @@ -256658,11 +258930,20 @@ const test = (fn, ...args) => { }; const factory = (env) => { + const globalObject = + utils.global !== undefined && utils.global !== null + ? utils.global + : globalThis; + const { ReadableStream, TextEncoder } = globalObject; + env = utils.merge.call( { skipUndefined: true, }, - globalFetchAPI, + { + Request: globalObject.Request, + Response: globalObject.Response, + }, env ); @@ -256675,15 +258956,15 @@ const factory = (env) => { return false; } - const isReadableStreamSupported = isFetchSupported && fetch_isFunction(fetch_ReadableStream); + const isReadableStreamSupported = isFetchSupported && fetch_isFunction(ReadableStream); const encodeText = isFetchSupported && - (typeof fetch_TextEncoder === 'function' + (typeof TextEncoder === 'function' ? ( (encoder) => (str) => encoder.encode(str) - )(new fetch_TextEncoder()) + )(new TextEncoder()) : async (str) => new Uint8Array(await new Request(str).arrayBuffer())); const supportsRequestStream = @@ -256692,18 +258973,20 @@ const factory = (env) => { test(() => { let duplexAccessed = false; - const body = new fetch_ReadableStream(); - - const hasContentType = new Request(lib_platform.origin, { - body, + const request = new Request(lib_platform.origin, { + body: new ReadableStream(), method: 'POST', get duplex() { duplexAccessed = true; return 'half'; }, - }).headers.has('Content-Type'); + }); - body.cancel(); + const hasContentType = request.headers.has('Content-Type'); + + if (request.body != null) { + request.body.cancel(); + } return duplexAccessed && !hasContentType; }); @@ -256787,8 +259070,13 @@ const factory = (env) => { headers, withCredentials = 'same-origin', fetchOptions, + maxContentLength, + maxBodyLength, } = resolveConfig(config); + const hasMaxContentLength = utils.isNumber(maxContentLength) && maxContentLength > -1; + const hasMaxBodyLength = utils.isNumber(maxBodyLength) && maxBodyLength > -1; + let _fetch = envFetch || fetch; responseType = responseType ? (responseType + '').toLowerCase() : 'text'; @@ -256810,6 +259098,41 @@ const factory = (env) => { let requestContentLength; try { + // Enforce maxContentLength for data: URLs up-front so we never materialize + // an oversized payload. The HTTP adapter applies the same check (see http.js + // "if (protocol === 'data:')" branch). + if (hasMaxContentLength && typeof url === 'string' && url.startsWith('data:')) { + const estimated = estimateDataURLDecodedBytes(url); + if (estimated > maxContentLength) { + throw new core_AxiosError( + 'maxContentLength size of ' + maxContentLength + ' exceeded', + core_AxiosError.ERR_BAD_RESPONSE, + config, + request + ); + } + } + + // Enforce maxBodyLength against the outbound request body before dispatch. + // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than + // maxBodyLength limit'). Skip when the body length cannot be determined + // (e.g. a live ReadableStream supplied by the caller). + if (hasMaxBodyLength && method !== 'get' && method !== 'head') { + const outboundLength = await resolveBodyLength(headers, data); + if ( + typeof outboundLength === 'number' && + isFinite(outboundLength) && + outboundLength > maxBodyLength + ) { + throw new core_AxiosError( + 'Request body larger than maxBodyLength limit', + core_AxiosError.ERR_BAD_REQUEST, + config, + request + ); + } + } + if ( onUploadProgress && supportsRequestStream && @@ -256847,11 +259170,27 @@ const factory = (env) => { // see https://github.com/cloudflare/workerd/issues/902 const isCredentialsSupported = isRequestSupported && 'credentials' in Request.prototype; + // If data is FormData and Content-Type is multipart/form-data without boundary, + // delete it so fetch can set it correctly with the boundary + if (utils.isFormData(data)) { + const contentType = headers.getContentType(); + if ( + contentType && + /^multipart\/form-data/i.test(contentType) && + !/boundary=/i.test(contentType) + ) { + headers.delete('content-type'); + } + } + + // Set User-Agent header if not already set (fetch defaults to 'node' in Node.js) + headers.set('User-Agent', 'axios/' + VERSION, false); + const resolvedOptions = { ...fetchOptions, signal: composedSignal, method: method.toUpperCase(), - headers: headers.normalize().toJSON(), + headers: toByteStringHeaderObject(headers.normalize()), body: data, duplex: 'half', credentials: isCredentialsSupported ? withCredentials : undefined, @@ -256863,10 +259202,28 @@ const factory = (env) => { ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions)); + // Cheap pre-check: if the server honestly declares a content-length that + // already exceeds the cap, reject before we start streaming. + if (hasMaxContentLength) { + const declaredLength = utils.toFiniteNumber(response.headers.get('content-length')); + if (declaredLength != null && declaredLength > maxContentLength) { + throw new core_AxiosError( + 'maxContentLength size of ' + maxContentLength + ' exceeded', + core_AxiosError.ERR_BAD_RESPONSE, + config, + request + ); + } + } + const isStreamResponse = supportsResponseStream && (responseType === 'stream' || responseType === 'response'); - if (supportsResponseStream && (onDownloadProgress || (isStreamResponse && unsubscribe))) { + if ( + supportsResponseStream && + response.body && + (onDownloadProgress || hasMaxContentLength || (isStreamResponse && unsubscribe)) + ) { const options = {}; ['status', 'statusText', 'headers'].forEach((prop) => { @@ -256883,8 +259240,24 @@ const factory = (env) => { )) || []; + let bytesRead = 0; + const onChunkProgress = (loadedBytes) => { + if (hasMaxContentLength) { + bytesRead = loadedBytes; + if (bytesRead > maxContentLength) { + throw new core_AxiosError( + 'maxContentLength size of ' + maxContentLength + ' exceeded', + core_AxiosError.ERR_BAD_RESPONSE, + config, + request + ); + } + } + onProgress && onProgress(loadedBytes); + }; + response = new Response( - trackStream(response.body, DEFAULT_CHUNK_SIZE, onProgress, () => { + trackStream(response.body, DEFAULT_CHUNK_SIZE, onChunkProgress, () => { flush && flush(); unsubscribe && unsubscribe(); }), @@ -256899,6 +259272,33 @@ const factory = (env) => { config ); + // Fallback enforcement for environments without ReadableStream support + // (legacy runtimes). Detect materialized size from typed output; skip + // streams/Response passthrough since the user will read those themselves. + if (hasMaxContentLength && !supportsResponseStream && !isStreamResponse) { + let materializedSize; + if (responseData != null) { + if (typeof responseData.byteLength === 'number') { + materializedSize = responseData.byteLength; + } else if (typeof responseData.size === 'number') { + materializedSize = responseData.size; + } else if (typeof responseData === 'string') { + materializedSize = + typeof TextEncoder === 'function' + ? new TextEncoder().encode(responseData).byteLength + : responseData.length; + } + } + if (typeof materializedSize === 'number' && materializedSize > maxContentLength) { + throw new core_AxiosError( + 'maxContentLength size of ' + maxContentLength + ' exceeded', + core_AxiosError.ERR_BAD_RESPONSE, + config, + request + ); + } + } + !isStreamResponse && unsubscribe && unsubscribe(); return await new Promise((resolve, reject) => { @@ -256914,6 +259314,17 @@ const factory = (env) => { } catch (err) { unsubscribe && unsubscribe(); + // Safari can surface fetch aborts as a DOMException-like object whose + // branded getters throw. Prefer our composed signal reason before reading + // the caught error, preserving timeout vs cancellation semantics. + if (composedSignal && composedSignal.aborted && composedSignal.reason instanceof core_AxiosError) { + const canceledError = composedSignal.reason; + canceledError.config = config; + request && (canceledError.request = request); + err !== canceledError && (canceledError.cause = err); + throw canceledError; + } + if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) { throw Object.assign( new core_AxiosError( @@ -256991,11 +259402,13 @@ const knownAdapters = { utils.forEach(knownAdapters, (fn, value) => { if (fn) { try { - Object.defineProperty(fn, 'name', { value }); + // Null-proto descriptors so a polluted Object.prototype.get cannot turn + // these data descriptors into accessor descriptors on the way in. + Object.defineProperty(fn, 'name', { __proto__: null, value }); } catch (e) { // eslint-disable-next-line no-empty } - Object.defineProperty(fn, 'adapterName', { value }); + Object.defineProperty(fn, 'adapterName', { __proto__: null, value }); } }); @@ -257147,8 +259560,15 @@ function dispatchRequest(config) { function onAdapterResolution(response) { throwIfCancellationRequested(config); - // Transform response data - response.data = transformData.call(config, config.transformResponse, response); + // Expose the current response on config so that transformResponse can + // attach it to any AxiosError it throws (e.g. on JSON parse failure). + // We clean it up afterwards to avoid polluting the config object. + config.response = response; + try { + response.data = transformData.call(config, config.transformResponse, response); + } finally { + delete config.response; + } response.headers = core_AxiosHeaders.from(response.headers); @@ -257160,11 +259580,16 @@ function dispatchRequest(config) { // Transform response data if (reason && reason.response) { - reason.response.data = transformData.call( - config, - config.transformResponse, - reason.response - ); + config.response = reason.response; + try { + reason.response.data = transformData.call( + config, + config.transformResponse, + reason.response + ); + } finally { + delete config.response; + } reason.response.headers = core_AxiosHeaders.from(reason.response.headers); } } @@ -257263,7 +259688,9 @@ function assertOptions(options, schema, allowUnknown) { let i = keys.length; while (i-- > 0) { const opt = keys[i]; - const validator = schema[opt]; + // Use hasOwnProperty so a polluted Object.prototype. cannot supply + // a non-function validator and cause a TypeError. + const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; if (validator) { const value = options[opt]; const result = value === undefined || validator(value, opt, options); @@ -257437,7 +259864,7 @@ class Axios { let contextHeaders = headers && utils.merge(headers.common, headers[config.method]); headers && - utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'common'], (method) => { + utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query', 'common'], (method) => { delete headers[method]; }); @@ -257540,7 +259967,7 @@ utils.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoData }; }); -utils.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) { +utils.forEach(['post', 'put', 'patch', 'query'], function forEachMethodWithData(method) { function generateHTTPMethod(isForm) { return function httpMethod(url, data, config) { return this.request( @@ -257560,7 +259987,11 @@ utils.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) { Axios.prototype[method] = generateHTTPMethod(); - Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + // QUERY is a safe/idempotent read method; multipart form bodies don't fit + // its semantics, so no queryForm shorthand is generated. + if (method !== 'query') { + Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + } }); /* harmony default export */ const core_Axios = (Axios); @@ -257941,6 +260372,7 @@ const { formToJSON, getAdapter: axios_getAdapter, mergeConfig: axios_mergeConfig, + create: axios_create, } = lib_axios; diff --git a/dist/save/index.js b/dist/save/index.js index 92e8763..ed06540 100644 --- a/dist/save/index.js +++ b/dist/save/index.js @@ -79604,7 +79604,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true })); function once(emitter, name, { signal } = {}) { return new Promise((resolve, reject) => { function cleanup() { - signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', cleanup); + signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort); emitter.removeListener(name, onEvent); emitter.removeListener('error', onError); } @@ -79616,7 +79616,17 @@ function once(emitter, name, { signal } = {}) { cleanup(); reject(err); } - signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', cleanup); + function onAbort() { + cleanup(); + const err = new Error('The operation was aborted'); + err.name = 'AbortError'; + reject(err); + } + if (signal === null || signal === void 0 ? void 0 : signal.aborted) { + onAbort(); + return; + } + signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', onAbort); emitter.on(name, onEvent); emitter.on('error', onError); }); @@ -80559,6 +80569,241 @@ function descending(a, b) } +/***/ }), + +/***/ 17401: +/***/ (function(module, __unused_webpack_exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +const events_1 = __nccwpck_require__(82361); +const debug_1 = __importDefault(__nccwpck_require__(38237)); +const promisify_1 = __importDefault(__nccwpck_require__(76948)); +const debug = debug_1.default('agent-base'); +function isAgent(v) { + return Boolean(v) && typeof v.addRequest === 'function'; +} +function isSecureEndpoint() { + const { stack } = new Error(); + if (typeof stack !== 'string') + return false; + return stack.split('\n').some(l => l.indexOf('(https.js:') !== -1 || l.indexOf('node:https:') !== -1); +} +function createAgent(callback, opts) { + return new createAgent.Agent(callback, opts); +} +(function (createAgent) { + /** + * Base `http.Agent` implementation. + * No pooling/keep-alive is implemented by default. + * + * @param {Function} callback + * @api public + */ + class Agent extends events_1.EventEmitter { + constructor(callback, _opts) { + super(); + let opts = _opts; + if (typeof callback === 'function') { + this.callback = callback; + } + else if (callback) { + opts = callback; + } + // Timeout for the socket to be returned from the callback + this.timeout = null; + if (opts && typeof opts.timeout === 'number') { + this.timeout = opts.timeout; + } + // These aren't actually used by `agent-base`, but are required + // for the TypeScript definition files in `@types/node` :/ + this.maxFreeSockets = 1; + this.maxSockets = 1; + this.maxTotalSockets = Infinity; + this.sockets = {}; + this.freeSockets = {}; + this.requests = {}; + this.options = {}; + } + get defaultPort() { + if (typeof this.explicitDefaultPort === 'number') { + return this.explicitDefaultPort; + } + return isSecureEndpoint() ? 443 : 80; + } + set defaultPort(v) { + this.explicitDefaultPort = v; + } + get protocol() { + if (typeof this.explicitProtocol === 'string') { + return this.explicitProtocol; + } + return isSecureEndpoint() ? 'https:' : 'http:'; + } + set protocol(v) { + this.explicitProtocol = v; + } + callback(req, opts, fn) { + throw new Error('"agent-base" has no default implementation, you must subclass and override `callback()`'); + } + /** + * Called by node-core's "_http_client.js" module when creating + * a new HTTP request with this Agent instance. + * + * @api public + */ + addRequest(req, _opts) { + const opts = Object.assign({}, _opts); + if (typeof opts.secureEndpoint !== 'boolean') { + opts.secureEndpoint = isSecureEndpoint(); + } + if (opts.host == null) { + opts.host = 'localhost'; + } + if (opts.port == null) { + opts.port = opts.secureEndpoint ? 443 : 80; + } + if (opts.protocol == null) { + opts.protocol = opts.secureEndpoint ? 'https:' : 'http:'; + } + if (opts.host && opts.path) { + // If both a `host` and `path` are specified then it's most + // likely the result of a `url.parse()` call... we need to + // remove the `path` portion so that `net.connect()` doesn't + // attempt to open that as a unix socket file. + delete opts.path; + } + delete opts.agent; + delete opts.hostname; + delete opts._defaultAgent; + delete opts.defaultPort; + delete opts.createConnection; + // Hint to use "Connection: close" + // XXX: non-documented `http` module API :( + req._last = true; + req.shouldKeepAlive = false; + let timedOut = false; + let timeoutId = null; + const timeoutMs = opts.timeout || this.timeout; + const onerror = (err) => { + if (req._hadError) + return; + req.emit('error', err); + // For Safety. Some additional errors might fire later on + // and we need to make sure we don't double-fire the error event. + req._hadError = true; + }; + const ontimeout = () => { + timeoutId = null; + timedOut = true; + const err = new Error(`A "socket" was not created for HTTP request before ${timeoutMs}ms`); + err.code = 'ETIMEOUT'; + onerror(err); + }; + const callbackError = (err) => { + if (timedOut) + return; + if (timeoutId !== null) { + clearTimeout(timeoutId); + timeoutId = null; + } + onerror(err); + }; + const onsocket = (socket) => { + if (timedOut) + return; + if (timeoutId != null) { + clearTimeout(timeoutId); + timeoutId = null; + } + if (isAgent(socket)) { + // `socket` is actually an `http.Agent` instance, so + // relinquish responsibility for this `req` to the Agent + // from here on + debug('Callback returned another Agent instance %o', socket.constructor.name); + socket.addRequest(req, opts); + return; + } + if (socket) { + socket.once('free', () => { + this.freeSocket(socket, opts); + }); + req.onSocket(socket); + return; + } + const err = new Error(`no Duplex stream was returned to agent-base for \`${req.method} ${req.path}\``); + onerror(err); + }; + if (typeof this.callback !== 'function') { + onerror(new Error('`callback` is not defined')); + return; + } + if (!this.promisifiedCallback) { + if (this.callback.length >= 3) { + debug('Converting legacy callback function to promise'); + this.promisifiedCallback = promisify_1.default(this.callback); + } + else { + this.promisifiedCallback = this.callback; + } + } + if (typeof timeoutMs === 'number' && timeoutMs > 0) { + timeoutId = setTimeout(ontimeout, timeoutMs); + } + if ('port' in opts && typeof opts.port !== 'number') { + opts.port = Number(opts.port); + } + try { + debug('Resolving socket for %o request: %o', opts.protocol, `${req.method} ${req.path}`); + Promise.resolve(this.promisifiedCallback(req, opts)).then(onsocket, callbackError); + } + catch (err) { + Promise.reject(err).catch(callbackError); + } + } + freeSocket(socket, opts) { + debug('Freeing socket %o %o', socket.constructor.name, opts); + socket.destroy(); + } + destroy() { + debug('Destroying agent %o', this.constructor.name); + } + } + createAgent.Agent = Agent; + // So that `instanceof` works correctly + createAgent.prototype = createAgent.Agent.prototype; +})(createAgent || (createAgent = {})); +module.exports = createAgent; +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 76948: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +function promisify(fn) { + return function (req, opts) { + return new Promise((resolve, reject) => { + fn.call(this, req, opts, (err, rtn) => { + if (err) { + reject(err); + } + else { + resolve(rtn); + } + }); + }); + }; +} +exports["default"] = promisify; +//# sourceMappingURL=promisify.js.map + /***/ }), /***/ 91403: @@ -81079,6 +81324,284 @@ module.exports = function (dst, src) { }; +/***/ }), + +/***/ 39808: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +const net_1 = __importDefault(__nccwpck_require__(41808)); +const tls_1 = __importDefault(__nccwpck_require__(24404)); +const url_1 = __importDefault(__nccwpck_require__(57310)); +const assert_1 = __importDefault(__nccwpck_require__(39491)); +const debug_1 = __importDefault(__nccwpck_require__(38237)); +const agent_base_1 = __nccwpck_require__(17401); +const parse_proxy_response_1 = __importDefault(__nccwpck_require__(88494)); +const debug = debug_1.default('https-proxy-agent:agent'); +/** + * The `HttpsProxyAgent` implements an HTTP Agent subclass that connects to + * the specified "HTTP(s) proxy server" in order to proxy HTTPS requests. + * + * Outgoing HTTP requests are first tunneled through the proxy server using the + * `CONNECT` HTTP request method to establish a connection to the proxy server, + * and then the proxy server connects to the destination target and issues the + * HTTP request from the proxy server. + * + * `https:` requests have their socket connection upgraded to TLS once + * the connection to the proxy server has been established. + * + * @api public + */ +class HttpsProxyAgent extends agent_base_1.Agent { + constructor(_opts) { + let opts; + if (typeof _opts === 'string') { + opts = url_1.default.parse(_opts); + } + else { + opts = _opts; + } + if (!opts) { + throw new Error('an HTTP(S) proxy server `host` and `port` must be specified!'); + } + debug('creating new HttpsProxyAgent instance: %o', opts); + super(opts); + const proxy = Object.assign({}, opts); + // If `true`, then connect to the proxy server over TLS. + // Defaults to `false`. + this.secureProxy = opts.secureProxy || isHTTPS(proxy.protocol); + // Prefer `hostname` over `host`, and set the `port` if needed. + proxy.host = proxy.hostname || proxy.host; + if (typeof proxy.port === 'string') { + proxy.port = parseInt(proxy.port, 10); + } + if (!proxy.port && proxy.host) { + proxy.port = this.secureProxy ? 443 : 80; + } + // ALPN is supported by Node.js >= v5. + // attempt to negotiate http/1.1 for proxy servers that support http/2 + if (this.secureProxy && !('ALPNProtocols' in proxy)) { + proxy.ALPNProtocols = ['http 1.1']; + } + if (proxy.host && proxy.path) { + // If both a `host` and `path` are specified then it's most likely + // the result of a `url.parse()` call... we need to remove the + // `path` portion so that `net.connect()` doesn't attempt to open + // that as a Unix socket file. + delete proxy.path; + delete proxy.pathname; + } + this.proxy = proxy; + } + /** + * Called when the node-core HTTP client library is creating a + * new HTTP request. + * + * @api protected + */ + callback(req, opts) { + return __awaiter(this, void 0, void 0, function* () { + const { proxy, secureProxy } = this; + // Create a socket connection to the proxy server. + let socket; + if (secureProxy) { + debug('Creating `tls.Socket`: %o', proxy); + socket = tls_1.default.connect(proxy); + } + else { + debug('Creating `net.Socket`: %o', proxy); + socket = net_1.default.connect(proxy); + } + const headers = Object.assign({}, proxy.headers); + const hostname = `${opts.host}:${opts.port}`; + let payload = `CONNECT ${hostname} HTTP/1.1\r\n`; + // Inject the `Proxy-Authorization` header if necessary. + if (proxy.auth) { + headers['Proxy-Authorization'] = `Basic ${Buffer.from(proxy.auth).toString('base64')}`; + } + // The `Host` header should only include the port + // number when it is not the default port. + let { host, port, secureEndpoint } = opts; + if (!isDefaultPort(port, secureEndpoint)) { + host += `:${port}`; + } + headers.Host = host; + headers.Connection = 'close'; + for (const name of Object.keys(headers)) { + payload += `${name}: ${headers[name]}\r\n`; + } + const proxyResponsePromise = parse_proxy_response_1.default(socket); + socket.write(`${payload}\r\n`); + const { statusCode, buffered } = yield proxyResponsePromise; + if (statusCode === 200) { + req.once('socket', resume); + if (opts.secureEndpoint) { + // The proxy is connecting to a TLS server, so upgrade + // this socket connection to a TLS connection. + debug('Upgrading socket connection to TLS'); + const servername = opts.servername || opts.host; + return tls_1.default.connect(Object.assign(Object.assign({}, omit(opts, 'host', 'hostname', 'path', 'port')), { socket, + servername })); + } + return socket; + } + // Some other status code that's not 200... need to re-play the HTTP + // header "data" events onto the socket once the HTTP machinery is + // attached so that the node core `http` can parse and handle the + // error status code. + // Close the original socket, and a new "fake" socket is returned + // instead, so that the proxy doesn't get the HTTP request + // written to it (which may contain `Authorization` headers or other + // sensitive data). + // + // See: https://hackerone.com/reports/541502 + socket.destroy(); + const fakeSocket = new net_1.default.Socket({ writable: false }); + fakeSocket.readable = true; + // Need to wait for the "socket" event to re-play the "data" events. + req.once('socket', (s) => { + debug('replaying proxy buffer for failed request'); + assert_1.default(s.listenerCount('data') > 0); + // Replay the "buffered" Buffer onto the fake `socket`, since at + // this point the HTTP module machinery has been hooked up for + // the user. + s.push(buffered); + s.push(null); + }); + return fakeSocket; + }); + } +} +exports["default"] = HttpsProxyAgent; +function resume(socket) { + socket.resume(); +} +function isDefaultPort(port, secure) { + return Boolean((!secure && port === 80) || (secure && port === 443)); +} +function isHTTPS(protocol) { + return typeof protocol === 'string' ? /^https:?$/i.test(protocol) : false; +} +function omit(obj, ...keys) { + const ret = {}; + let key; + for (key in obj) { + if (!keys.includes(key)) { + ret[key] = obj[key]; + } + } + return ret; +} +//# sourceMappingURL=agent.js.map + +/***/ }), + +/***/ 28414: +/***/ (function(module, __unused_webpack_exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +const agent_1 = __importDefault(__nccwpck_require__(39808)); +function createHttpsProxyAgent(opts) { + return new agent_1.default(opts); +} +(function (createHttpsProxyAgent) { + createHttpsProxyAgent.HttpsProxyAgent = agent_1.default; + createHttpsProxyAgent.prototype = agent_1.default.prototype; +})(createHttpsProxyAgent || (createHttpsProxyAgent = {})); +module.exports = createHttpsProxyAgent; +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 88494: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +const debug_1 = __importDefault(__nccwpck_require__(38237)); +const debug = debug_1.default('https-proxy-agent:parse-proxy-response'); +function parseProxyResponse(socket) { + return new Promise((resolve, reject) => { + // we need to buffer any HTTP traffic that happens with the proxy before we get + // the CONNECT response, so that if the response is anything other than an "200" + // response code, then we can re-play the "data" events on the socket once the + // HTTP parser is hooked up... + let buffersLength = 0; + const buffers = []; + function read() { + const b = socket.read(); + if (b) + ondata(b); + else + socket.once('readable', read); + } + function cleanup() { + socket.removeListener('end', onend); + socket.removeListener('error', onerror); + socket.removeListener('close', onclose); + socket.removeListener('readable', read); + } + function onclose(err) { + debug('onclose had error %o', err); + } + function onend() { + debug('onend'); + } + function onerror(err) { + cleanup(); + debug('onerror %o', err); + reject(err); + } + function ondata(b) { + buffers.push(b); + buffersLength += b.length; + const buffered = Buffer.concat(buffers, buffersLength); + const endOfHeaders = buffered.indexOf('\r\n\r\n'); + if (endOfHeaders === -1) { + // keep buffering + debug('have not received end of HTTP headers yet...'); + read(); + return; + } + const firstLine = buffered.toString('ascii', 0, buffered.indexOf('\r\n')); + const statusCode = +firstLine.split(' ')[1]; + debug('got proxy server response: %o', firstLine); + resolve({ + statusCode, + buffered + }); + } + socket.on('error', onerror); + socket.on('close', onclose); + socket.on('end', onend); + read(); + }); +} +exports["default"] = parseProxyResponse; +//# sourceMappingURL=parse-proxy-response.js.map + /***/ }), /***/ 9417: @@ -194670,16 +195193,18 @@ exports.getPackageJSON = getPackageJSON; /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { "use strict"; -/*! Axios v1.15.0 Copyright (c) 2026 Matt Zabriskie and contributors */ +/*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */ var FormData$1 = __nccwpck_require__(91403); var crypto = __nccwpck_require__(6113); var url = __nccwpck_require__(57310); +var HttpsProxyAgent = __nccwpck_require__(28414); var http = __nccwpck_require__(13685); var https = __nccwpck_require__(95687); var http2 = __nccwpck_require__(85158); var util = __nccwpck_require__(73837); +var path = __nccwpck_require__(71017); var followRedirects = __nccwpck_require__(67707); var zlib = __nccwpck_require__(59796); var stream = __nccwpck_require__(12781); @@ -194879,9 +195404,9 @@ const isFile = kindOfTest('File'); * also have a `name` and `type` attribute to specify filename and content type * * @see https://github.com/facebook/react-native/blob/26684cf3adf4094eb6c405d345a75bf8c7c0bf88/Libraries/Network/FormData.js#L68-L71 - * + * * @param {*} value The value to test - * + * * @returns {boolean} True if value is a React Native Blob, otherwise false */ const isReactNativeBlob = value => { @@ -194891,9 +195416,9 @@ const isReactNativeBlob = value => { /** * Determine if environment is React Native * ReactNative `FormData` has a non-standard `getParts()` method - * + * * @param {*} formData The formData to test - * + * * @returns {boolean} True if environment is React Native, otherwise false */ const isReactNative = formData => formData && typeof formData.getParts !== 'undefined'; @@ -194912,7 +195437,7 @@ const isBlob = kindOfTest('Blob'); * * @param {*} val The value to test * - * @returns {boolean} True if value is a File, otherwise false + * @returns {boolean} True if value is a FileList, otherwise false */ const isFileList = kindOfTest('FileList'); @@ -194942,10 +195467,16 @@ function getGlobal() { const G = getGlobal(); const FormDataCtor = typeof G.FormData !== 'undefined' ? G.FormData : undefined; const isFormData = thing => { - let kind; - return thing && (FormDataCtor && thing instanceof FormDataCtor || isFunction$1(thing.append) && ((kind = kindOf(thing)) === 'formdata' || + if (!thing) return false; + if (FormDataCtor && thing instanceof FormDataCtor) return true; + // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData. + const proto = getPrototypeOf(thing); + if (!proto || proto === Object.prototype) return false; + if (!isFunction$1(thing.append)) return false; + const kind = kindOf(thing); + return kind === 'formdata' || // detect form-data instance - kind === 'object' && isFunction$1(thing.toString) && thing.toString() === '[object FormData]')); + kind === 'object' && isFunction$1(thing.toString) && thing.toString() === '[object FormData]'; }; /** @@ -195070,8 +195601,7 @@ const isContextDefined = context => !isUndefined(context) && context !== _global * * @returns {Object} Result of all merge properties */ -function merge(/* obj1, obj2, obj3, ... */ -) { +function merge(...objs) { const { caseless, skipUndefined @@ -195083,8 +195613,12 @@ function merge(/* obj1, obj2, obj3, ... */ return; } const targetKey = caseless && findKey(result, key) || key; - if (isPlainObject(result[targetKey]) && isPlainObject(val)) { - result[targetKey] = merge(result[targetKey], val); + // Read via own-prop only — a bare `result[targetKey]` walks the prototype + // chain, so a polluted Object.prototype value could surface here and get + // copied into the merged result. + const existing = hasOwnProperty(result, targetKey) ? result[targetKey] : undefined; + if (isPlainObject(existing) && isPlainObject(val)) { + result[targetKey] = merge(existing, val); } else if (isPlainObject(val)) { result[targetKey] = merge({}, val); } else if (isArray(val)) { @@ -195093,8 +195627,8 @@ function merge(/* obj1, obj2, obj3, ... */ result[targetKey] = val; } }; - for (let i = 0, l = arguments.length; i < l; i++) { - arguments[i] && forEach(arguments[i], assignValue); + for (let i = 0, l = objs.length; i < l; i++) { + objs[i] && forEach(objs[i], assignValue); } return result; } @@ -195116,6 +195650,9 @@ const extend = (a, b, thisArg, { forEach(b, (val, key) => { if (thisArg && isFunction$1(val)) { Object.defineProperty(a, key, { + // Null-proto descriptor so a polluted Object.prototype.get cannot + // hijack defineProperty's accessor-vs-data resolution. + __proto__: null, value: bind(val, thisArg), writable: true, enumerable: true, @@ -195123,6 +195660,7 @@ const extend = (a, b, thisArg, { }); } else { Object.defineProperty(a, key, { + __proto__: null, value: val, writable: true, enumerable: true, @@ -195161,12 +195699,14 @@ const stripBOM = content => { const inherits = (constructor, superConstructor, props, descriptors) => { constructor.prototype = Object.create(superConstructor.prototype, descriptors); Object.defineProperty(constructor.prototype, 'constructor', { + __proto__: null, value: constructor, writable: true, enumerable: false, configurable: true }); Object.defineProperty(constructor, 'super', { + __proto__: null, value: superConstructor.prototype }); props && Object.assign(constructor.prototype, props); @@ -195334,7 +195874,7 @@ const reduceDescriptors = (obj, reducer) => { const freezeMethods = obj => { reduceDescriptors(obj, (descriptor, name) => { // skip restricted props in strict mode - if (isFunction$1(obj) && ['arguments', 'caller', 'callee'].indexOf(name) !== -1) { + if (isFunction$1(obj) && ['arguments', 'caller', 'callee'].includes(name)) { return false; } const value = obj[name]; @@ -195393,10 +195933,10 @@ function isSpecCompliantForm(thing) { * @returns {Object} The JSON-compatible object. */ const toJSONObject = obj => { - const stack = new Array(10); - const visit = (source, i) => { + const visited = new WeakSet(); + const visit = source => { if (isObject(source)) { - if (stack.indexOf(source) >= 0) { + if (visited.has(source)) { return; } @@ -195405,19 +195945,20 @@ const toJSONObject = obj => { return source; } if (!('toJSON' in source)) { - stack[i] = source; + // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230). + visited.add(source); const target = isArray(source) ? [] : {}; forEach(source, (value, key) => { - const reducedValue = visit(value, i + 1); + const reducedValue = visit(value); !isUndefined(reducedValue) && (target[key] = reducedValue); }); - stack[i] = undefined; + visited.delete(source); return target; } } return source; }; - return visit(obj, 0); + return visit(obj); }; /** @@ -195541,6 +196082,382 @@ var utils$1 = { isIterable }; +// RawAxiosHeaders whose duplicates are ignored by node +// c.f. https://nodejs.org/api/http.html#http_message_headers +const ignoreDuplicateOf = utils$1.toObjectSet(['age', 'authorization', 'content-length', 'content-type', 'etag', 'expires', 'from', 'host', 'if-modified-since', 'if-unmodified-since', 'last-modified', 'location', 'max-forwards', 'proxy-authorization', 'referer', 'retry-after', 'user-agent']); + +/** + * Parse headers into an object + * + * ``` + * Date: Wed, 27 Aug 2014 08:58:49 GMT + * Content-Type: application/json + * Connection: keep-alive + * Transfer-Encoding: chunked + * ``` + * + * @param {String} rawHeaders Headers needing to be parsed + * + * @returns {Object} Headers parsed into an object + */ +var parseHeaders = rawHeaders => { + const parsed = {}; + let key; + let val; + let i; + rawHeaders && rawHeaders.split('\n').forEach(function parser(line) { + i = line.indexOf(':'); + key = line.substring(0, i).trim().toLowerCase(); + val = line.substring(i + 1).trim(); + if (!key || parsed[key] && ignoreDuplicateOf[key]) { + return; + } + if (key === 'set-cookie') { + if (parsed[key]) { + parsed[key].push(val); + } else { + parsed[key] = [val]; + } + } else { + parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; + } + }); + return parsed; +}; + +function trimSPorHTAB(str) { + let start = 0; + let end = str.length; + while (start < end) { + const code = str.charCodeAt(start); + if (code !== 0x09 && code !== 0x20) { + break; + } + start += 1; + } + while (end > start) { + const code = str.charCodeAt(end - 1); + if (code !== 0x09 && code !== 0x20) { + break; + } + end -= 1; + } + return start === 0 && end === str.length ? str : str.slice(start, end); +} + +// The control-code ranges are intentional: header sanitization strips C0/DEL bytes. +// eslint-disable-next-line no-control-regex +const INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp('[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+', 'g'); +// eslint-disable-next-line no-control-regex +const INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp('[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+', 'g'); +function sanitizeValue(value, invalidChars) { + if (utils$1.isArray(value)) { + return value.map(item => sanitizeValue(item, invalidChars)); + } + return trimSPorHTAB(String(value).replace(invalidChars, '')); +} +const sanitizeHeaderValue = value => sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS); +const sanitizeByteStringHeaderValue = value => sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS); +function toByteStringHeaderObject(headers) { + const byteStringHeaders = Object.create(null); + utils$1.forEach(headers.toJSON(), (value, header) => { + byteStringHeaders[header] = sanitizeByteStringHeaderValue(value); + }); + return byteStringHeaders; +} + +const $internals = Symbol('internals'); +function normalizeHeader(header) { + return header && String(header).trim().toLowerCase(); +} +function normalizeValue(value) { + if (value === false || value == null) { + return value; + } + return utils$1.isArray(value) ? value.map(normalizeValue) : sanitizeHeaderValue(String(value)); +} +function parseTokens(str) { + const tokens = Object.create(null); + const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; + let match; + while (match = tokensRE.exec(str)) { + tokens[match[1]] = match[2]; + } + return tokens; +} +const isValidHeaderName = str => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); +function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { + if (utils$1.isFunction(filter)) { + return filter.call(this, value, header); + } + if (isHeaderNameFilter) { + value = header; + } + if (!utils$1.isString(value)) return; + if (utils$1.isString(filter)) { + return value.indexOf(filter) !== -1; + } + if (utils$1.isRegExp(filter)) { + return filter.test(value); + } +} +function formatHeader(header) { + return header.trim().toLowerCase().replace(/([a-z\d])(\w*)/g, (w, char, str) => { + return char.toUpperCase() + str; + }); +} +function buildAccessors(obj, header) { + const accessorName = utils$1.toCamelCase(' ' + header); + ['get', 'set', 'has'].forEach(methodName => { + Object.defineProperty(obj, methodName + accessorName, { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: function (arg1, arg2, arg3) { + return this[methodName].call(this, header, arg1, arg2, arg3); + }, + configurable: true + }); + }); +} +class AxiosHeaders { + constructor(headers) { + headers && this.set(headers); + } + set(header, valueOrRewrite, rewrite) { + const self = this; + function setHeader(_value, _header, _rewrite) { + const lHeader = normalizeHeader(_header); + if (!lHeader) { + throw new Error('header name must be a non-empty string'); + } + const key = utils$1.findKey(self, lHeader); + if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) { + self[key || _header] = normalizeValue(_value); + } + } + const setHeaders = (headers, _rewrite) => utils$1.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); + if (utils$1.isPlainObject(header) || header instanceof this.constructor) { + setHeaders(header, valueOrRewrite); + } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { + setHeaders(parseHeaders(header), valueOrRewrite); + } else if (utils$1.isObject(header) && utils$1.isIterable(header)) { + let obj = {}, + dest, + key; + for (const entry of header) { + if (!utils$1.isArray(entry)) { + throw TypeError('Object iterator must return a key-value pair'); + } + obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1]; + } + setHeaders(obj, valueOrRewrite); + } else { + header != null && setHeader(valueOrRewrite, header, rewrite); + } + return this; + } + get(header, parser) { + header = normalizeHeader(header); + if (header) { + const key = utils$1.findKey(this, header); + if (key) { + const value = this[key]; + if (!parser) { + return value; + } + if (parser === true) { + return parseTokens(value); + } + if (utils$1.isFunction(parser)) { + return parser.call(this, value, key); + } + if (utils$1.isRegExp(parser)) { + return parser.exec(value); + } + throw new TypeError('parser must be boolean|regexp|function'); + } + } + } + has(header, matcher) { + header = normalizeHeader(header); + if (header) { + const key = utils$1.findKey(this, header); + return !!(key && this[key] !== undefined && (!matcher || matchHeaderValue(this, this[key], key, matcher))); + } + return false; + } + delete(header, matcher) { + const self = this; + let deleted = false; + function deleteHeader(_header) { + _header = normalizeHeader(_header); + if (_header) { + const key = utils$1.findKey(self, _header); + if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { + delete self[key]; + deleted = true; + } + } + } + if (utils$1.isArray(header)) { + header.forEach(deleteHeader); + } else { + deleteHeader(header); + } + return deleted; + } + clear(matcher) { + const keys = Object.keys(this); + let i = keys.length; + let deleted = false; + while (i--) { + const key = keys[i]; + if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { + delete this[key]; + deleted = true; + } + } + return deleted; + } + normalize(format) { + const self = this; + const headers = {}; + utils$1.forEach(this, (value, header) => { + const key = utils$1.findKey(headers, header); + if (key) { + self[key] = normalizeValue(value); + delete self[header]; + return; + } + const normalized = format ? formatHeader(header) : String(header).trim(); + if (normalized !== header) { + delete self[header]; + } + self[normalized] = normalizeValue(value); + headers[normalized] = true; + }); + return this; + } + concat(...targets) { + return this.constructor.concat(this, ...targets); + } + toJSON(asStrings) { + const obj = Object.create(null); + utils$1.forEach(this, (value, header) => { + value != null && value !== false && (obj[header] = asStrings && utils$1.isArray(value) ? value.join(', ') : value); + }); + return obj; + } + [Symbol.iterator]() { + return Object.entries(this.toJSON())[Symbol.iterator](); + } + toString() { + return Object.entries(this.toJSON()).map(([header, value]) => header + ': ' + value).join('\n'); + } + getSetCookie() { + return this.get('set-cookie') || []; + } + get [Symbol.toStringTag]() { + return 'AxiosHeaders'; + } + static from(thing) { + return thing instanceof this ? thing : new this(thing); + } + static concat(first, ...targets) { + const computed = new this(first); + targets.forEach(target => computed.set(target)); + return computed; + } + static accessor(header) { + const internals = this[$internals] = this[$internals] = { + accessors: {} + }; + const accessors = internals.accessors; + const prototype = this.prototype; + function defineAccessor(_header) { + const lHeader = normalizeHeader(_header); + if (!accessors[lHeader]) { + buildAccessors(prototype, _header); + accessors[lHeader] = true; + } + } + utils$1.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); + return this; + } +} +AxiosHeaders.accessor(['Content-Type', 'Content-Length', 'Accept', 'Accept-Encoding', 'User-Agent', 'Authorization']); + +// reserved names hotfix +utils$1.reduceDescriptors(AxiosHeaders.prototype, ({ + value +}, key) => { + let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` + return { + get: () => value, + set(headerValue) { + this[mapped] = headerValue; + } + }; +}); +utils$1.freezeMethods(AxiosHeaders); + +const REDACTED = '[REDACTED ****]'; +function hasOwnOrPrototypeToJSON(source) { + if (utils$1.hasOwnProp(source, 'toJSON')) { + return true; + } + let prototype = Object.getPrototypeOf(source); + while (prototype && prototype !== Object.prototype) { + if (utils$1.hasOwnProp(prototype, 'toJSON')) { + return true; + } + prototype = Object.getPrototypeOf(prototype); + } + return false; +} + +// Build a plain-object snapshot of `config` and replace the value of any key +// (case-insensitive) listed in `redactKeys` with REDACTED. Walks through arrays +// and AxiosHeaders, and short-circuits on circular references. +function redactConfig(config, redactKeys) { + const lowerKeys = new Set(redactKeys.map(k => String(k).toLowerCase())); + const seen = []; + const visit = source => { + if (source === null || typeof source !== 'object') return source; + if (utils$1.isBuffer(source)) return source; + if (seen.indexOf(source) !== -1) return undefined; + if (source instanceof AxiosHeaders) { + source = source.toJSON(); + } + seen.push(source); + let result; + if (utils$1.isArray(source)) { + result = []; + source.forEach((v, i) => { + const reducedValue = visit(v); + if (!utils$1.isUndefined(reducedValue)) { + result[i] = reducedValue; + } + }); + } else { + if (!utils$1.isPlainObject(source) && hasOwnOrPrototypeToJSON(source)) { + seen.pop(); + return source; + } + result = Object.create(null); + for (const [key, value] of Object.entries(source)) { + const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value); + if (!utils$1.isUndefined(reducedValue)) { + result[key] = reducedValue; + } + } + } + seen.pop(); + return result; + }; + return visit(config); +} class AxiosError extends Error { static from(error, code, config, request, response, customProps) { const axiosError = new AxiosError(error.message, code || error.code, config, request, response); @@ -195573,6 +196490,9 @@ class AxiosError extends Error { // The native Error constructor sets message as non-enumerable, // but axios < v1.13.3 had it as enumerable Object.defineProperty(this, 'message', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, value: message, enumerable: true, writable: true, @@ -195589,6 +196509,13 @@ class AxiosError extends Error { } } toJSON() { + // Opt-in redaction: when the request config carries a `redact` array, the + // value of any matching key (case-insensitive, at any depth) is replaced + // with REDACTED in the serialized snapshot. Undefined or empty leaves the + // existing serialization behavior unchanged. + const config = this.config; + const redactKeys = config && utils$1.hasOwnProp(config, 'redact') ? config.redact : undefined; + const serializedConfig = utils$1.isArray(redactKeys) && redactKeys.length > 0 ? redactConfig(config, redactKeys) : utils$1.toJSONObject(config); return { // Standard message: this.message, @@ -195602,7 +196529,7 @@ class AxiosError extends Error { columnNumber: this.columnNumber, stack: this.stack, // Axios - config: utils$1.toJSONObject(this.config), + config: serializedConfig, code: this.code, status: this.status }; @@ -195614,6 +196541,7 @@ AxiosError.ERR_BAD_OPTION_VALUE = 'ERR_BAD_OPTION_VALUE'; AxiosError.ERR_BAD_OPTION = 'ERR_BAD_OPTION'; AxiosError.ECONNABORTED = 'ECONNABORTED'; AxiosError.ETIMEDOUT = 'ETIMEDOUT'; +AxiosError.ECONNREFUSED = 'ECONNREFUSED'; AxiosError.ERR_NETWORK = 'ERR_NETWORK'; AxiosError.ERR_FR_TOO_MANY_REDIRECTS = 'ERR_FR_TOO_MANY_REDIRECTS'; AxiosError.ERR_DEPRECATED = 'ERR_DEPRECATED'; @@ -195622,6 +196550,7 @@ AxiosError.ERR_BAD_REQUEST = 'ERR_BAD_REQUEST'; AxiosError.ERR_CANCELED = 'ERR_CANCELED'; AxiosError.ERR_NOT_SUPPORT = 'ERR_NOT_SUPPORT'; AxiosError.ERR_INVALID_URL = 'ERR_INVALID_URL'; +AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED'; /** * Determines if the given thing is a array or js object. @@ -195723,6 +196652,7 @@ function toFormData(obj, formData, options) { const dots = options.dots; const indexes = options.indexes; const _Blob = options.Blob || typeof Blob !== 'undefined' && Blob; + const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth; const useBlob = _Blob && utils$1.isSpecCompliantForm(formData); if (!utils$1.isFunction(visitor)) { throw new TypeError('visitor must be a function'); @@ -195789,8 +196719,11 @@ function toFormData(obj, formData, options) { convertValue, isVisitable }); - function build(value, path) { + function build(value, path, depth = 0) { if (utils$1.isUndefined(value)) return; + if (depth > maxDepth) { + throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED); + } if (stack.indexOf(value) !== -1) { throw Error('Circular reference detected in ' + path.join('.')); } @@ -195798,7 +196731,7 @@ function toFormData(obj, formData, options) { utils$1.forEach(value, function each(el, key) { const result = !(utils$1.isUndefined(el) || el === null) && visitor.call(formData, el, utils$1.isString(key) ? key.trim() : key, path, exposedHelpers); if (result === true) { - build(el, path ? path.concat(key) : [key]); + build(el, path ? path.concat(key) : [key], depth + 1); } }); stack.pop(); @@ -195825,10 +196758,9 @@ function encode$1(str) { '(': '%28', ')': '%29', '~': '%7E', - '%20': '+', - '%00': '\x00' + '%20': '+' }; - return encodeURIComponent(str).replace(/[!'()~]|%20|%00/g, function replacer(match) { + return encodeURIComponent(str).replace(/[!'()~]|%20/g, function replacer(match) { return charMap[match]; }); } @@ -196129,13 +197061,13 @@ function formDataToJSON(formData) { name = !name && utils$1.isArray(target) ? target.length : name; if (isLast) { if (utils$1.hasOwnProp(target, name)) { - target[name] = [target[name], value]; + target[name] = utils$1.isArray(target[name]) ? target[name].concat(value) : [target[name], value]; } else { target[name] = value; } return !isNumericKey; } - if (!target[name] || !utils$1.isObject(target[name])) { + if (!utils$1.hasOwnProp(target, name) || !utils$1.isObject(target[name])) { target[name] = []; } const result = buildPath(path, value, target[name], index); @@ -196154,6 +197086,8 @@ function formDataToJSON(formData) { return null; } +const own = (obj, key) => obj != null && utils$1.hasOwnProp(obj, key) ? obj[key] : undefined; + /** * It takes a string, tries to parse it, and if it fails, it returns the stringified version * of the input @@ -196203,14 +197137,16 @@ const defaults = { } let isFileList; if (isObjectPayload) { + const formSerializer = own(this, 'formSerializer'); if (contentType.indexOf('application/x-www-form-urlencoded') > -1) { - return toURLEncodedForm(data, this.formSerializer).toString(); + return toURLEncodedForm(data, formSerializer).toString(); } if ((isFileList = utils$1.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) { - const _FormData = this.env && this.env.FormData; + const env = own(this, 'env'); + const _FormData = env && env.FormData; return toFormData(isFileList ? { 'files[]': data - } : data, _FormData && new _FormData(), this.formSerializer); + } : data, _FormData && new _FormData(), formSerializer); } } if (isObjectPayload || hasJSONContentType) { @@ -196220,21 +197156,22 @@ const defaults = { return data; }], transformResponse: [function transformResponse(data) { - const transitional = this.transitional || defaults.transitional; + const transitional = own(this, 'transitional') || defaults.transitional; const forcedJSONParsing = transitional && transitional.forcedJSONParsing; - const JSONRequested = this.responseType === 'json'; + const responseType = own(this, 'responseType'); + const JSONRequested = responseType === 'json'; if (utils$1.isResponse(data) || utils$1.isReadableStream(data)) { return data; } - if (data && utils$1.isString(data) && (forcedJSONParsing && !this.responseType || JSONRequested)) { + if (data && utils$1.isString(data) && (forcedJSONParsing && !responseType || JSONRequested)) { const silentJSONParsing = transitional && transitional.silentJSONParsing; const strictJSONParsing = !silentJSONParsing && JSONRequested; try { - return JSON.parse(data, this.parseReviver); + return JSON.parse(data, own(this, 'parseReviver')); } catch (e) { if (strictJSONParsing) { if (e.name === 'SyntaxError') { - throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, this.response); + throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, own(this, 'response')); } throw e; } @@ -196265,311 +197202,10 @@ const defaults = { } } }; -utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch'], method => { +utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query'], method => { defaults.headers[method] = {}; }); -// RawAxiosHeaders whose duplicates are ignored by node -// c.f. https://nodejs.org/api/http.html#http_message_headers -const ignoreDuplicateOf = utils$1.toObjectSet(['age', 'authorization', 'content-length', 'content-type', 'etag', 'expires', 'from', 'host', 'if-modified-since', 'if-unmodified-since', 'last-modified', 'location', 'max-forwards', 'proxy-authorization', 'referer', 'retry-after', 'user-agent']); - -/** - * Parse headers into an object - * - * ``` - * Date: Wed, 27 Aug 2014 08:58:49 GMT - * Content-Type: application/json - * Connection: keep-alive - * Transfer-Encoding: chunked - * ``` - * - * @param {String} rawHeaders Headers needing to be parsed - * - * @returns {Object} Headers parsed into an object - */ -var parseHeaders = rawHeaders => { - const parsed = {}; - let key; - let val; - let i; - rawHeaders && rawHeaders.split('\n').forEach(function parser(line) { - i = line.indexOf(':'); - key = line.substring(0, i).trim().toLowerCase(); - val = line.substring(i + 1).trim(); - if (!key || parsed[key] && ignoreDuplicateOf[key]) { - return; - } - if (key === 'set-cookie') { - if (parsed[key]) { - parsed[key].push(val); - } else { - parsed[key] = [val]; - } - } else { - parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; - } - }); - return parsed; -}; - -const $internals = Symbol('internals'); -const isValidHeaderValue = value => !/[\r\n]/.test(value); -function assertValidHeaderValue(value, header) { - if (value === false || value == null) { - return; - } - if (utils$1.isArray(value)) { - value.forEach(v => assertValidHeaderValue(v, header)); - return; - } - if (!isValidHeaderValue(String(value))) { - throw new Error(`Invalid character in header content ["${header}"]`); - } -} -function normalizeHeader(header) { - return header && String(header).trim().toLowerCase(); -} -function stripTrailingCRLF(str) { - let end = str.length; - while (end > 0) { - const charCode = str.charCodeAt(end - 1); - if (charCode !== 10 && charCode !== 13) { - break; - } - end -= 1; - } - return end === str.length ? str : str.slice(0, end); -} -function normalizeValue(value) { - if (value === false || value == null) { - return value; - } - return utils$1.isArray(value) ? value.map(normalizeValue) : stripTrailingCRLF(String(value)); -} -function parseTokens(str) { - const tokens = Object.create(null); - const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; - let match; - while (match = tokensRE.exec(str)) { - tokens[match[1]] = match[2]; - } - return tokens; -} -const isValidHeaderName = str => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); -function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { - if (utils$1.isFunction(filter)) { - return filter.call(this, value, header); - } - if (isHeaderNameFilter) { - value = header; - } - if (!utils$1.isString(value)) return; - if (utils$1.isString(filter)) { - return value.indexOf(filter) !== -1; - } - if (utils$1.isRegExp(filter)) { - return filter.test(value); - } -} -function formatHeader(header) { - return header.trim().toLowerCase().replace(/([a-z\d])(\w*)/g, (w, char, str) => { - return char.toUpperCase() + str; - }); -} -function buildAccessors(obj, header) { - const accessorName = utils$1.toCamelCase(' ' + header); - ['get', 'set', 'has'].forEach(methodName => { - Object.defineProperty(obj, methodName + accessorName, { - value: function (arg1, arg2, arg3) { - return this[methodName].call(this, header, arg1, arg2, arg3); - }, - configurable: true - }); - }); -} -class AxiosHeaders { - constructor(headers) { - headers && this.set(headers); - } - set(header, valueOrRewrite, rewrite) { - const self = this; - function setHeader(_value, _header, _rewrite) { - const lHeader = normalizeHeader(_header); - if (!lHeader) { - throw new Error('header name must be a non-empty string'); - } - const key = utils$1.findKey(self, lHeader); - if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) { - assertValidHeaderValue(_value, _header); - self[key || _header] = normalizeValue(_value); - } - } - const setHeaders = (headers, _rewrite) => utils$1.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); - if (utils$1.isPlainObject(header) || header instanceof this.constructor) { - setHeaders(header, valueOrRewrite); - } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { - setHeaders(parseHeaders(header), valueOrRewrite); - } else if (utils$1.isObject(header) && utils$1.isIterable(header)) { - let obj = {}, - dest, - key; - for (const entry of header) { - if (!utils$1.isArray(entry)) { - throw TypeError('Object iterator must return a key-value pair'); - } - obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1]; - } - setHeaders(obj, valueOrRewrite); - } else { - header != null && setHeader(valueOrRewrite, header, rewrite); - } - return this; - } - get(header, parser) { - header = normalizeHeader(header); - if (header) { - const key = utils$1.findKey(this, header); - if (key) { - const value = this[key]; - if (!parser) { - return value; - } - if (parser === true) { - return parseTokens(value); - } - if (utils$1.isFunction(parser)) { - return parser.call(this, value, key); - } - if (utils$1.isRegExp(parser)) { - return parser.exec(value); - } - throw new TypeError('parser must be boolean|regexp|function'); - } - } - } - has(header, matcher) { - header = normalizeHeader(header); - if (header) { - const key = utils$1.findKey(this, header); - return !!(key && this[key] !== undefined && (!matcher || matchHeaderValue(this, this[key], key, matcher))); - } - return false; - } - delete(header, matcher) { - const self = this; - let deleted = false; - function deleteHeader(_header) { - _header = normalizeHeader(_header); - if (_header) { - const key = utils$1.findKey(self, _header); - if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { - delete self[key]; - deleted = true; - } - } - } - if (utils$1.isArray(header)) { - header.forEach(deleteHeader); - } else { - deleteHeader(header); - } - return deleted; - } - clear(matcher) { - const keys = Object.keys(this); - let i = keys.length; - let deleted = false; - while (i--) { - const key = keys[i]; - if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { - delete this[key]; - deleted = true; - } - } - return deleted; - } - normalize(format) { - const self = this; - const headers = {}; - utils$1.forEach(this, (value, header) => { - const key = utils$1.findKey(headers, header); - if (key) { - self[key] = normalizeValue(value); - delete self[header]; - return; - } - const normalized = format ? formatHeader(header) : String(header).trim(); - if (normalized !== header) { - delete self[header]; - } - self[normalized] = normalizeValue(value); - headers[normalized] = true; - }); - return this; - } - concat(...targets) { - return this.constructor.concat(this, ...targets); - } - toJSON(asStrings) { - const obj = Object.create(null); - utils$1.forEach(this, (value, header) => { - value != null && value !== false && (obj[header] = asStrings && utils$1.isArray(value) ? value.join(', ') : value); - }); - return obj; - } - [Symbol.iterator]() { - return Object.entries(this.toJSON())[Symbol.iterator](); - } - toString() { - return Object.entries(this.toJSON()).map(([header, value]) => header + ': ' + value).join('\n'); - } - getSetCookie() { - return this.get('set-cookie') || []; - } - get [Symbol.toStringTag]() { - return 'AxiosHeaders'; - } - static from(thing) { - return thing instanceof this ? thing : new this(thing); - } - static concat(first, ...targets) { - const computed = new this(first); - targets.forEach(target => computed.set(target)); - return computed; - } - static accessor(header) { - const internals = this[$internals] = this[$internals] = { - accessors: {} - }; - const accessors = internals.accessors; - const prototype = this.prototype; - function defineAccessor(_header) { - const lHeader = normalizeHeader(_header); - if (!accessors[lHeader]) { - buildAccessors(prototype, _header); - accessors[lHeader] = true; - } - } - utils$1.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); - return this; - } -} -AxiosHeaders.accessor(['Content-Type', 'Content-Length', 'Accept', 'Accept-Encoding', 'User-Agent', 'Authorization']); - -// reserved names hotfix -utils$1.reduceDescriptors(AxiosHeaders.prototype, ({ - value -}, key) => { - let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` - return { - get: () => value, - set(headerValue) { - this[mapped] = headerValue; - } - }; -}); -utils$1.freezeMethods(AxiosHeaders); - /** * Transform the data for a request or a response * @@ -196625,7 +197261,7 @@ function settle(resolve, reject, response) { if (!response.status || !validateStatus || validateStatus(response.status)) { resolve(response); } else { - reject(new AxiosError('Request failed with status code ' + response.status, [AxiosError.ERR_BAD_REQUEST, AxiosError.ERR_BAD_RESPONSE][Math.floor(response.status / 100) - 4], response.config, response.request, response)); + reject(new AxiosError('Request failed with status code ' + response.status, response.status >= 400 && response.status < 500 ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE, response.config, response.request, response)); } } @@ -196670,7 +197306,7 @@ function combineURLs(baseURL, relativeURL) { */ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) { let isRelativeUrl = !isAbsoluteURL(requestedURL); - if (baseURL && (isRelativeUrl || allowAbsoluteUrls == false)) { + if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) { return combineURLs(baseURL, requestedURL); } return requestedURL; @@ -196772,14 +197408,16 @@ function getEnv(key) { return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || ''; } -const VERSION = "1.15.0"; +const VERSION = "1.16.1"; function parseProtocol(url) { - const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url); + const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url); return match && match[1] || ''; } -const DATA_URL_PATTERN = /^(?:([^;]+);)?(?:[^;]+;)?(base64|),([\s\S]*)$/; +// RFC 2397: data:[][;base64], +// mediatype = type/subtype followed by optional ;name=value parameters +const DATA_URL_PATTERN = /^([^,;]+\/[^,;]+)?((?:;[^,;=]+=[^,;]+)*)(;base64)?,([\s\S]*)$/; /** * Parse data uri to a Buffer or Blob @@ -196803,10 +197441,20 @@ function fromDataURI(uri, asBlob, options) { if (!match) { throw new AxiosError('Invalid URL', AxiosError.ERR_INVALID_URL); } - const mime = match[1]; - const isBase64 = match[2]; - const body = match[3]; - const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8'); + const type = match[1]; + const params = match[2]; + const encoding = match[3] ? 'base64' : 'utf8'; + const body = match[4]; + + // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII + // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec. + let mime; + if (type) { + mime = params ? type + params : type; + } else if (params) { + mime = 'text/plain' + params; + } + const buffer = Buffer.from(decodeURIComponent(body), encoding); if (asBlob) { if (!_Blob) { throw new AxiosError('Blob is not supported', AxiosError.ERR_NOT_SUPPORT); @@ -196963,7 +197611,8 @@ class FormDataPart { if (isStringValue) { value = textEncoder.encode(String(value).replace(/\r?\n|\r\n?/g, CRLF)); } else { - headers += `Content-Type: ${value.type || 'application/octet-stream'}${CRLF}`; + const safeType = String(value.type || 'application/octet-stream').replace(/[\r\n]/g, ''); + headers += `Content-Type: ${safeType}${CRLF}`; } this.headers = textEncoder.encode(headers + CRLF); this.contentLength = isStringValue ? value.byteLength : value.size; @@ -197001,7 +197650,7 @@ const formDataToStream = (form, headersHandler, options) => { throw TypeError('FormData instance required'); } if (boundary.length < 1 || boundary.length > 70) { - throw Error('boundary must be 10-70 characters long'); + throw Error('boundary must be 1-70 characters long'); } const boundaryBytes = textEncoder.encode('--' + boundary + CRLF); const footerBytes = textEncoder.encode('--' + boundary + '--' + CRLF); @@ -197064,6 +197713,47 @@ const callbackify = (fn, reducer) => { } : fn; }; +const LOOPBACK_HOSTNAMES = new Set(['localhost']); +const isIPv4Loopback = host => { + const parts = host.split('.'); + if (parts.length !== 4) return false; + if (parts[0] !== '127') return false; + return parts.every(p => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255); +}; +const isIPv6Loopback = host => { + // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1 + // First, strip any leading "::" by normalising with Set lookup of common forms, + // then fall back to structural check. + if (host === '::1') return true; + + // Check IPv4-mapped IPv6 loopback: ::ffff: or ::ffff: + // Node's URL parser normalises ::ffff:127.0.0.1 → ::ffff:7f00:1 + const v4MappedDotted = host.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i); + if (v4MappedDotted) return isIPv4Loopback(v4MappedDotted[1]); + const v4MappedHex = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i); + if (v4MappedHex) { + const high = parseInt(v4MappedHex[1], 16); + // High 16 bits must start with 127 (0x7f) — i.e. 0x7f00..0x7fff + return high >= 0x7f00 && high <= 0x7fff; + } + + // Full-form ::1 variants: any number of zero groups followed by trailing 1 + // e.g. 0:0:0:0:0:0:0:1, 0000:...:0001 + const groups = host.split(':'); + if (groups.length === 8) { + for (let i = 0; i < 7; i++) { + if (!/^0+$/.test(groups[i])) return false; + } + return /^0*1$/.test(groups[7]); + } + return false; +}; +const isLoopback = host => { + if (!host) return false; + if (LOOPBACK_HOSTNAMES.has(host)) return true; + if (isIPv4Loopback(host)) return true; + return isIPv6Loopback(host); +}; const DEFAULT_PORTS = { http: 80, https: 443, @@ -197093,6 +197783,27 @@ const parseNoProxyEntry = entry => { } return [entryHost, entryPort]; }; + +// Convert IPv4-mapped IPv6 (::ffff:0:0/96 prefix) to IPv4 dotted form so both +// sides of a NO_PROXY comparison see the same canonical address. Without this, +// `NO_PROXY=192.168.1.5` would not match a request to `http://[::ffff:192.168.1.5]/` +// (Node's URL parser normalises that to `[::ffff:c0a8:105]`), and vice-versa, +// allowing the proxy-bypass policy to be circumvented by using the alternate +// representation. Returns the input unchanged when not IPv4-mapped. +const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i; +const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i; +const unmapIPv4MappedIPv6 = host => { + if (typeof host !== 'string' || host.indexOf(':') === -1) return host; + const dotted = host.match(IPV4_MAPPED_DOTTED_RE); + if (dotted) return dotted[1]; + const hex = host.match(IPV4_MAPPED_HEX_RE); + if (hex) { + const high = parseInt(hex[1], 16); + const low = parseInt(hex[2], 16); + return `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`; + } + return host; +}; const normalizeNoProxyHost = hostname => { if (!hostname) { return hostname; @@ -197100,7 +197811,7 @@ const normalizeNoProxyHost = hostname => { if (hostname.charAt(0) === '[' && hostname.charAt(hostname.length - 1) === ']') { hostname = hostname.slice(1, -1); } - return hostname.replace(/\.+$/, ''); + return unmapIPv4MappedIPv6(hostname.replace(/\.+$/, '')); }; function shouldBypassProxy(location) { let parsed; @@ -197136,7 +197847,7 @@ function shouldBypassProxy(location) { if (entryHost.charAt(0) === '.') { return hostname.endsWith(entryHost); } - return hostname === entryHost; + return hostname === entryHost || isLoopback(hostname) && isLoopback(entryHost); }); } @@ -197223,19 +197934,22 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => { let bytesNotified = 0; const _speedometer = speedometer(50, 250); return throttle(e => { - const loaded = e.loaded; + if (!e || typeof e.loaded !== 'number') { + return; + } + const rawLoaded = e.loaded; const total = e.lengthComputable ? e.total : undefined; - const progressBytes = loaded - bytesNotified; + const loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded; + const progressBytes = Math.max(0, loaded - bytesNotified); const rate = _speedometer(progressBytes); - const inRange = loaded <= total; - bytesNotified = loaded; + bytesNotified = Math.max(bytesNotified, loaded); const data = { loaded, total, progress: total ? loaded / total : undefined, bytes: progressBytes, rate: rate ? rate : undefined, - estimated: rate && total && inRange ? (total - loaded) / rate : undefined, + estimated: rate && total ? (total - loaded) / rate : undefined, event: e, lengthComputable: total != null, [isDownloadStream ? 'download' : 'upload']: true @@ -197313,7 +198027,34 @@ function estimateDataURLDecodedBytes(url) { const bytes = groups * 3 - (pad || 0); return bytes > 0 ? bytes : 0; } - return Buffer.byteLength(body, 'utf8'); + if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') { + return Buffer.byteLength(body, 'utf8'); + } + + // Compute UTF-8 byte length directly from UTF-16 code units without allocating + // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies). + // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit + // but 3 UTF-8 bytes). + let bytes = 0; + for (let i = 0, len = body.length; i < len; i++) { + const c = body.charCodeAt(i); + if (c < 0x80) { + bytes += 1; + } else if (c < 0x800) { + bytes += 2; + } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < len) { + const next = body.charCodeAt(i + 1); + if (next >= 0xdc00 && next <= 0xdfff) { + bytes += 4; + i++; + } else { + bytes += 3; + } + } else { + bytes += 3; + } + } + return bytes; } const zlibOptions = { @@ -197330,9 +198071,70 @@ const { https: httpsFollow } = followRedirects; const isHttps = /https:?/; +const FORM_DATA_CONTENT_HEADERS$1 = ['content-type', 'content-length']; +function setFormDataHeaders$1(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS$1.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +// Symbols used to bind a single 'error' listener to a pooled socket and track +// the request currently owning that socket across keep-alive reuse (issue #10780). +const kAxiosSocketListener = Symbol('axios.http.socketListener'); +const kAxiosCurrentReq = Symbol('axios.http.currentReq'); + +// Tags HttpsProxyAgent instances installed by setProxy() so the redirect path +// can strip them without clobbering a user-supplied agent that happens to be +// an HttpsProxyAgent. +const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel'); + +// Cache of CONNECT-tunneling agents keyed by proxy config so repeat requests +// through the same proxy reuse a single agent (and its socket pool). The +// keyspace is bounded by the set of distinct proxy configs the process uses, +// so unbounded growth is not a concern in practice. +const tunnelingAgentCache = new Map(); +const tunnelingAgentCacheUser = new WeakMap(); +function getTunnelingAgent(agentOptions, userHttpsAgent) { + const key = agentOptions.protocol + '//' + agentOptions.hostname + ':' + (agentOptions.port || '') + '#' + (agentOptions.auth || ''); + const cache = userHttpsAgent ? tunnelingAgentCacheUser.get(userHttpsAgent) || tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent) : tunnelingAgentCache; + let agent = cache.get(key); + if (agent) return agent; + // Forward the user's TLS options (custom CA, rejectUnauthorized, client cert, + // etc.) into the tunneling agent so they apply to the origin TLS upgrade + // performed after CONNECT. Our proxy fields take precedence on conflict. + const merged = userHttpsAgent && userHttpsAgent.options ? { + ...userHttpsAgent.options, + ...agentOptions + } : agentOptions; + agent = new HttpsProxyAgent(merged); + agent[kAxiosInstalledTunnel] = true; + cache.set(key, agent); + return agent; +} const supportedProtocols = platform.protocols.map(protocol => { return protocol + ':'; }); + +// Node's WHATWG URL parser returns `username` and `password` percent-encoded. +// Decode before composing the `auth` option so credentials such as +// `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the +// original value for malformed input so a bad encoding never throws. +const decodeURIComponentSafe = value => { + if (!utils$1.isString(value)) { + return value; + } + try { + return decodeURIComponent(value); + } catch (error) { + return value; + } +}; const flushOnFinish = (stream, [throttled, flush]) => { stream.on('end', flush).on('error', flush); return throttled; @@ -197420,12 +198222,12 @@ const http2Sessions = new Http2Sessions(); * * @returns {Object} */ -function dispatchBeforeRedirect(options, responseDetails) { +function dispatchBeforeRedirect(options, responseDetails, requestDetails) { if (options.beforeRedirects.proxy) { options.beforeRedirects.proxy(options); } if (options.beforeRedirects.config) { - options.beforeRedirects.config(options, responseDetails); + options.beforeRedirects.config(options, responseDetails, requestDetails); } } @@ -197438,7 +198240,7 @@ function dispatchBeforeRedirect(options, responseDetails) { * * @returns {http.ClientRequestArgs} */ -function setProxy(options, configProxy, location) { +function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) { let proxy = configProxy; if (!proxy && proxy !== false) { const proxyUrl = getProxyForUrl(location); @@ -197448,39 +198250,134 @@ function setProxy(options, configProxy, location) { } } } + // On redirect re-invocation, strip any stale Proxy-Authorization header carried + // over from the prior request (e.g. new target no longer uses a proxy, or uses + // a different proxy). Skip on the initial request so user-supplied headers are + // preserved. Header names are case-insensitive, so remove every case variant. + if (isRedirect && options.headers) { + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'proxy-authorization') { + delete options.headers[name]; + } + } + } + // Strip any tunneling agent we installed for the previous hop so a redirect + // that drops the proxy or crosses an HTTPS↔HTTP boundary doesn't reuse a + // stale one. Match on our Symbol marker so a user-supplied HttpsProxyAgent + // (which won't carry the marker) is left alone. + if (isRedirect && options.agent && options.agent[kAxiosInstalledTunnel]) { + options.agent = undefined; + } if (proxy) { + // Read proxy fields without traversing the prototype chain. URL instances expose + // username/password/hostname/host/port/protocol via getters on URL.prototype (so + // direct reads are shielded), but plain object proxies — and the `auth` field + // (which URL does not expose) — must be guarded so a polluted Object.prototype + // (e.g. Object.prototype.auth = { username, password }) cannot inject + // attacker-controlled credentials into the Proxy-Authorization header or + // redirect proxying to an attacker-controlled host. + const isProxyURL = proxy instanceof URL; + const readProxyField = key => isProxyURL || utils$1.hasOwnProp(proxy, key) ? proxy[key] : undefined; + const proxyUsername = readProxyField('username'); + const proxyPassword = readProxyField('password'); + let proxyAuth = utils$1.hasOwnProp(proxy, 'auth') ? proxy.auth : undefined; + // Basic proxy authorization - if (proxy.username) { - proxy.auth = (proxy.username || '') + ':' + (proxy.password || ''); - } - if (proxy.auth) { - // Support proxy auth object form - const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password); + if (proxyUsername) { + proxyAuth = (proxyUsername || '') + ':' + (proxyPassword || ''); + } + if (proxyAuth) { + // Support proxy auth object form. Read sub-fields via own-prop checks so a + // plain object inheriting from polluted Object.prototype cannot leak creds. + const authIsObject = typeof proxyAuth === 'object'; + const authUsername = authIsObject && utils$1.hasOwnProp(proxyAuth, 'username') ? proxyAuth.username : undefined; + const authPassword = authIsObject && utils$1.hasOwnProp(proxyAuth, 'password') ? proxyAuth.password : undefined; + const validProxyAuth = Boolean(authUsername || authPassword); if (validProxyAuth) { - proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || ''); - } else if (typeof proxy.auth === 'object') { + proxyAuth = (authUsername || '') + ':' + (authPassword || ''); + } else if (authIsObject) { throw new AxiosError('Invalid proxy authorization', AxiosError.ERR_BAD_OPTION, { proxy }); } - const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64'); - options.headers['Proxy-Authorization'] = 'Basic ' + base64; } - options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); - const proxyHost = proxy.hostname || proxy.host; - options.hostname = proxyHost; - // Replace 'host' since options is not a URL object - options.host = proxyHost; - options.port = proxy.port; - options.path = location; - if (proxy.protocol) { - options.protocol = proxy.protocol.includes(':') ? proxy.protocol : `${proxy.protocol}:`; + const targetIsHttps = isHttps.test(options.protocol); + if (targetIsHttps) { + // CONNECT-tunneling path for HTTPS targets. Preserves end-to-end TLS to + // the origin so the proxy cannot inspect the URL, headers, or body — the + // behavior already promised by THREATMODEL.md (T-R9). HttpsProxyAgent + // sends Proxy-Authorization on the CONNECT request only, never on the + // wrapped TLS request, which is why we don't stamp it onto + // options.headers here. If the user already supplied an HttpsProxyAgent, + // they own tunneling end-to-end and we leave them alone; otherwise we + // install our own tunneling agent and forward their TLS options (if any) + // so a custom httpsAgent for cert pinning / rejectUnauthorized still + // applies to the origin TLS upgrade. + if (!(configHttpsAgent instanceof HttpsProxyAgent)) { + const proxyHost = readProxyField('hostname') || readProxyField('host'); + const proxyPort = readProxyField('port'); + const rawProxyProtocol = readProxyField('protocol'); + const normalizedProtocol = rawProxyProtocol ? rawProxyProtocol.includes(':') ? rawProxyProtocol : `${rawProxyProtocol}:` : 'http:'; + // Bracket IPv6 literals for URL parsing; URL.hostname strips the + // brackets again on read so the agent receives the raw form. + const proxyHostForURL = proxyHost && proxyHost.includes(':') && !proxyHost.startsWith('[') ? `[${proxyHost}]` : proxyHost; + const proxyURL = new URL(`${normalizedProtocol}//${proxyHostForURL}${proxyPort ? ':' + proxyPort : ''}`); + const agentOptions = { + protocol: proxyURL.protocol, + hostname: proxyURL.hostname.replace(/^\[|\]$/g, ''), + port: proxyURL.port, + auth: proxyAuth && typeof proxyAuth === 'string' ? proxyAuth : undefined + }; + if (proxyURL.protocol === 'https:') { + agentOptions.ALPNProtocols = ['http/1.1']; + } + const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent); + // Set both: `options.agent` is consumed by the native https.request path + // (config.maxRedirects === 0); `options.agents.https` is consumed by + // follow-redirects, which ignores `options.agent` when `options.agents` + // is present. + options.agent = tunnelingAgent; + if (options.agents) { + options.agents.https = tunnelingAgent; + } + } + } else { + // Forward-proxy mode for plaintext HTTP targets. The request line carries + // the absolute URL and the proxy sees everything — acceptable for plain + // HTTP since the wire was already plaintext. + if (proxyAuth) { + const base64 = Buffer.from(proxyAuth, 'utf8').toString('base64'); + options.headers['Proxy-Authorization'] = 'Basic ' + base64; + } + + // Preserve a user-supplied Host header (case-insensitive) so callers can override + // the value forwarded to the proxy; otherwise default to the request URL's host. + let hasUserHostHeader = false; + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'host') { + hasUserHostHeader = true; + break; + } + } + if (!hasUserHostHeader) { + options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); + } + const proxyHost = readProxyField('hostname') || readProxyField('host'); + options.hostname = proxyHost; + // Replace 'host' since options is not a URL object + options.host = proxyHost; + options.port = readProxyField('port'); + options.path = location; + const proxyProtocol = readProxyField('protocol'); + if (proxyProtocol) { + options.protocol = proxyProtocol.includes(':') ? proxyProtocol : `${proxyProtocol}:`; + } } } options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) { // Configure proxy for redirected request, passing the original config proxy to apply // the exact same logic as if the redirected request was performed by axios directly. - setProxy(redirectOptions, configProxy, redirectOptions.href); + setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent); }; } const isHttpAdapterSupported = typeof process !== 'undefined' && utils$1.kindOf(process) === 'process'; @@ -197563,21 +198460,20 @@ const http2Transport = { /*eslint consistent-return:0*/ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) { - let { - data, - lookup, - family, - httpVersion = 1, - http2Options - } = config; - const { - responseType, - responseEncoding - } = config; + const own = key => utils$1.hasOwnProp(config, key) ? config[key] : undefined; + let data = own('data'); + let lookup = own('lookup'); + let family = own('family'); + let httpVersion = own('httpVersion'); + if (httpVersion === undefined) httpVersion = 1; + let http2Options = own('http2Options'); + const responseType = own('responseType'); + const responseEncoding = own('responseEncoding'); const method = config.method.toUpperCase(); let isDone; let rejected = false; let req; + let connectPhaseTimer; httpVersion = +httpVersion; if (Number.isNaN(httpVersion)) { throw TypeError(`Invalid protocol version: '${config.httpVersion}' is not a number`); @@ -197607,8 +198503,23 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { console.warn('emit error', err); } } + function clearConnectPhaseTimer() { + if (connectPhaseTimer) { + clearTimeout(connectPhaseTimer); + connectPhaseTimer = null; + } + } + function createTimeoutError() { + let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded'; + const transitional = config.transitional || transitionalDefaults; + if (config.timeoutErrorMessage) { + timeoutErrorMessage = config.timeoutErrorMessage; + } + return new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req); + } abortEmitter.once('abort', reject); const onFinished = () => { + clearConnectPhaseTimer(); if (config.cancelToken) { config.cancelToken.unsubscribe(abort); } @@ -197625,6 +198536,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { } onDone((response, isRejected) => { isDone = true; + clearConnectPhaseTimer(); if (isRejected) { rejected = true; onFinished(); @@ -197717,8 +198629,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { boundary: userBoundary && userBoundary[1] || undefined }); // support for https://www.npmjs.com/package/form-data api - } else if (utils$1.isFormData(data) && utils$1.isFunction(data.getHeaders)) { - headers.set(data.getHeaders()); + } else if (utils$1.isFormData(data) && utils$1.isFunction(data.getHeaders) && data.getHeaders !== Object.prototype.getHeaders) { + setFormDataHeaders$1(headers, data.getHeaders(), own('formDataHeaderPolicy')); if (!headers.hasContentLength()) { try { const knownLength = await util.promisify(data.getLength).call(data); @@ -197766,20 +198678,21 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { // HTTP basic authentication let auth = undefined; - if (config.auth) { - const username = config.auth.username || ''; - const password = config.auth.password || ''; + const configAuth = own('auth'); + if (configAuth) { + const username = configAuth.username || ''; + const password = configAuth.password || ''; auth = username + ':' + password; } if (!auth && parsed.username) { - const urlUsername = parsed.username; - const urlPassword = parsed.password; + const urlUsername = decodeURIComponentSafe(parsed.username); + const urlPassword = decodeURIComponentSafe(parsed.password); auth = urlUsername + ':' + urlPassword; } auth && headers.delete('authorization'); - let path; + let path$1; try { - path = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, ''); + path$1 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, ''); } catch (err) { const customErr = new Error(err.message); customErr.config = config; @@ -197788,10 +198701,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { return reject(customErr); } headers.set('Accept-Encoding', 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''), false); - const options = { - path, + + // Null-prototype to block prototype pollution gadgets on properties read + // directly by Node's http.request (e.g. insecureHTTPParser, lookup). + const options = Object.assign(Object.create(null), { + path: path$1, method: method, - headers: headers.toJSON(), + headers: toByteStringHeaderObject(headers), agents: { http: config.httpAgent, https: config.httpsAgent @@ -197800,35 +198716,54 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { protocol, family, beforeRedirect: dispatchBeforeRedirect, - beforeRedirects: {}, + beforeRedirects: Object.create(null), http2Options - }; + }); // cacheable-lookup integration hotfix !utils$1.isUndefined(lookup) && (options.lookup = lookup); if (config.socketPath) { + if (typeof config.socketPath !== 'string') { + return reject(new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config)); + } + if (config.allowedSocketPaths != null) { + const allowed = Array.isArray(config.allowedSocketPaths) ? config.allowedSocketPaths : [config.allowedSocketPaths]; + const resolvedSocket = path.resolve(config.socketPath); + const isAllowed = allowed.some(entry => typeof entry === 'string' && path.resolve(entry) === resolvedSocket); + if (!isAllowed) { + return reject(new AxiosError(`socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`, AxiosError.ERR_BAD_OPTION_VALUE, config)); + } + } options.socketPath = config.socketPath; } else { options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname; options.port = parsed.port; - setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path); + setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, config.httpsAgent); } let transport; + let isNativeTransport = false; const isHttpsRequest = isHttps.test(options.protocol); - options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an + // HTTPS target. + if (options.agent == null) { + options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + } if (isHttp2) { transport = http2Transport; } else { - if (config.transport) { - transport = config.transport; + const configTransport = own('transport'); + if (configTransport) { + transport = configTransport; } else if (config.maxRedirects === 0) { transport = isHttpsRequest ? https : http; + isNativeTransport = true; } else { if (config.maxRedirects) { options.maxRedirects = config.maxRedirects; } - if (config.beforeRedirect) { - options.beforeRedirects.config = config.beforeRedirect; + const configBeforeRedirect = own('beforeRedirect'); + if (configBeforeRedirect) { + options.beforeRedirects.config = configBeforeRedirect; } transport = isHttpsRequest ? httpsFollow : httpFollow; } @@ -197839,12 +198774,15 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited options.maxBodyLength = Infinity; } - if (config.insecureHTTPParser) { - options.insecureHTTPParser = config.insecureHTTPParser; - } + + // Always set an explicit own value so a polluted + // Object.prototype.insecureHTTPParser cannot enable the lenient parser + // through Node's internal options copy + options.insecureHTTPParser = Boolean(own('insecureHTTPParser')); // Create the request req = transport.request(options, function handleResponse(res) { + clearConnectPhaseTimer(); if (req.destroyed) return; const streams = [res]; const responseLength = utils$1.toFiniteNumber(res.headers['content-length']); @@ -197906,6 +198844,25 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { request: lastRequest }; if (responseType === 'stream') { + // Enforce maxContentLength on streamed responses; previously this + // was applied only to buffered responses. + if (config.maxContentLength > -1) { + const limit = config.maxContentLength; + const source = responseStream; + async function* enforceMaxContentLength() { + let totalResponseBytes = 0; + for await (const chunk of source) { + totalResponseBytes += chunk.length; + if (totalResponseBytes > limit) { + throw new AxiosError('maxContentLength size of ' + limit + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest); + } + yield chunk; + } + } + responseStream = stream.Readable.from(enforceMaxContentLength(), { + objectMode: false + }); + } response.data = responseStream; settle(resolve, reject, response); } else { @@ -197927,13 +198884,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { if (rejected) { return; } - const err = new AxiosError('stream has been aborted', AxiosError.ERR_BAD_RESPONSE, config, lastRequest); + const err = new AxiosError('stream has been aborted', AxiosError.ERR_BAD_RESPONSE, config, lastRequest, response); responseStream.destroy(err); reject(err); }); responseStream.on('error', function handleStreamError(err) { - if (req.destroyed) return; - reject(AxiosError.from(err, null, config, lastRequest)); + if (rejected) return; + reject(AxiosError.from(err, null, config, lastRequest, response)); }); responseStream.on('end', function handleStreamEnd() { try { @@ -197972,9 +198929,44 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { }); // set tcp keep alive to prevent drop connection by peer + // Track every socket bound to this outer RedirectableRequest so a single + // 'close' listener can release ownership on all of them. follow-redirects + // re-emits the 'socket' event for each hop's native request onto the same + // outer request, so attaching per-request listeners inside this handler + // would accumulate across hops and trigger MaxListenersExceededWarning at + // >= 11 redirects. Clearing only the last-bound socket would leave stale + // kAxiosCurrentReq refs on earlier hop sockets returned to the keep-alive + // pool, causing an idle-pool 'error' to be attributed to a closed req. + const boundSockets = new Set(); req.on('socket', function handleRequestSocket(socket) { // default interval of sending ack packet is 1 minute socket.setKeepAlive(true, 1000 * 60); + + // Install a single 'error' listener per socket (not per request) to avoid + // accumulating listeners on pooled keep-alive sockets that get reassigned + // to new requests before the previous request's 'close' fires (issue #10780). + // The listener is bound to the socket's currently-active request via a + // symbol, which is swapped as the socket is reassigned. + if (!socket[kAxiosSocketListener]) { + socket.on('error', function handleSocketError(err) { + const current = socket[kAxiosCurrentReq]; + if (current && !current.destroyed) { + current.destroy(err); + } + }); + socket[kAxiosSocketListener] = true; + } + socket[kAxiosCurrentReq] = req; + boundSockets.add(socket); + }); + req.once('close', function clearCurrentReq() { + clearConnectPhaseTimer(); + for (const socket of boundSockets) { + if (socket[kAxiosCurrentReq] === req) { + socket[kAxiosCurrentReq] = null; + } + } + boundSockets.clear(); }); // Handle request timeout @@ -197985,21 +198977,23 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { abort(new AxiosError('error trying to parse `config.timeout` to int', AxiosError.ERR_BAD_OPTION_VALUE, config, req)); return; } + const handleTimeout = function handleTimeout() { + if (isDone) return; + abort(createTimeoutError()); + }; + if (isNativeTransport && timeout > 0) { + // Native ClientRequest#setTimeout starts from the socket lifecycle and + // may not fire while TCP connect is still pending. Mirror the + // follow-redirects wall-clock timer for the maxRedirects === 0 path. + connectPhaseTimer = setTimeout(handleTimeout, timeout); + } // Sometime, the response will be very slow, and does not respond, the connect event will be block by event loop system. // And timer callback will be fired, and abort() will be invoked before connection, then get "socket hang up" and code ECONNRESET. // At this time, if we have a large number of request, nodejs will hang up some socket on background. and the number will up and up. // And then these socket which be hang up will devouring CPU little by little. // ClientRequest.setTimeout will be fired on the specify milliseconds, and can make sure that abort() will be fired after connect. - req.setTimeout(timeout, function handleRequestTimeout() { - if (isDone) return; - let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded'; - const transitional = config.transitional || transitionalDefaults; - if (config.timeoutErrorMessage) { - timeoutErrorMessage = config.timeoutErrorMessage; - } - abort(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req)); - }); + req.setTimeout(timeout, handleTimeout); } else { // explicitly reset the socket timeout value for a possible `keep-alive` request req.setTimeout(0); @@ -198021,7 +199015,28 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { abort(new CanceledError('Request stream has been aborted', config, req)); } }); - data.pipe(req); + + // Enforce maxBodyLength for streamed uploads on the native http/https + // transport (maxRedirects === 0); follow-redirects enforces it on the + // other path. + let uploadStream = data; + if (config.maxBodyLength > -1 && config.maxRedirects === 0) { + const limit = config.maxBodyLength; + let bytesSent = 0; + uploadStream = stream.pipeline([data, new stream.Transform({ + transform(chunk, _enc, cb) { + bytesSent += chunk.length; + if (bytesSent > limit) { + return cb(new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, req)); + } + cb(null, chunk); + } + })], utils$1.noop); + uploadStream.on('error', err => { + if (!req.destroyed) req.destroy(err); + }); + } + uploadStream.pipe(req); } else { data && req.write(data); req.end(); @@ -198059,8 +199074,20 @@ var cookies = platform.hasStandardBrowserEnv ? }, read(name) { if (typeof document === 'undefined') return null; - const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)')); - return match ? decodeURIComponent(match[1]) : null; + // Match name=value by splitting on the semicolon separator instead of building a + // RegExp from `name` — interpolating an unescaped string into a RegExp would let + // metacharacters (e.g. `.+?` in an attacker-influenced cookie name) cause ReDoS or + // match the wrong cookie. Browsers may serialize cookie pairs as either ";" or + // "; ", so ignore optional whitespace before each cookie name. + const cookies = document.cookie.split(';'); + for (let i = 0; i < cookies.length; i++) { + const cookie = cookies[i].replace(/^\s+/, ''); + const eq = cookie.indexOf('='); + if (eq !== -1 && cookie.slice(0, eq) === name) { + return decodeURIComponent(cookie.slice(eq + 1)); + } + } + return null; }, remove(name) { this.write(name, '', Date.now() - 86400000, '/'); @@ -198091,7 +199118,21 @@ const headersToObject = thing => thing instanceof AxiosHeaders ? { function mergeConfig(config1, config2) { // eslint-disable-next-line no-param-reassign config2 = config2 || {}; - const config = {}; + + // Use a null-prototype object so that downstream reads such as `config.auth` + // or `config.baseURL` cannot inherit polluted values from Object.prototype. + // `hasOwnProperty` is restored as a non-enumerable own slot to preserve + // ergonomics for user code that relies on it. + const config = Object.create(null); + Object.defineProperty(config, 'hasOwnProperty', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: Object.prototype.hasOwnProperty, + enumerable: false, + writable: true, + configurable: true + }); function getMergedValue(target, source, prop, caseless) { if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { return utils$1.merge.call({ @@ -198130,9 +199171,9 @@ function mergeConfig(config1, config2) { // eslint-disable-next-line consistent-return function mergeDirectKeys(a, b, prop) { - if (prop in config2) { + if (utils$1.hasOwnProp(config2, prop)) { return getMergedValue(a, b); - } else if (prop in config1) { + } else if (utils$1.hasOwnProp(config1, prop)) { return getMergedValue(undefined, a); } } @@ -198163,6 +199204,7 @@ function mergeConfig(config1, config2) { httpsAgent: defaultToConfig2, cancelToken: defaultToConfig2, socketPath: defaultToConfig2, + allowedSocketPaths: defaultToConfig2, responseEncoding: defaultToConfig2, validateStatus: mergeDirectKeys, headers: (a, b, prop) => mergeDeepProperties(headersToObject(a), headersToObject(b), prop, true) @@ -198173,42 +199215,64 @@ function mergeConfig(config1, config2) { }), function computeConfigValue(prop) { if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') return; const merge = utils$1.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : mergeDeepProperties; - const configValue = merge(config1[prop], config2[prop], prop); + const a = utils$1.hasOwnProp(config1, prop) ? config1[prop] : undefined; + const b = utils$1.hasOwnProp(config2, prop) ? config2[prop] : undefined; + const configValue = merge(a, b, prop); utils$1.isUndefined(configValue) && merge !== mergeDirectKeys || (config[prop] = configValue); }); return config; } +const FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length']; +function setFormDataHeaders(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +/** + * Encode a UTF-8 string to a Latin-1 byte string for use with btoa(). + * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern. + * + * @param {string} str The string to encode + * + * @returns {string} UTF-8 bytes as a Latin-1 string + */ +const encodeUTF8 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))); var resolveConfig = config => { const newConfig = mergeConfig({}, config); - let { - data, - withXSRFToken, - xsrfHeaderName, - xsrfCookieName, - headers, - auth - } = newConfig; + + // Read only own properties to prevent prototype pollution gadgets + // (e.g. Object.prototype.baseURL = 'https://evil.com'). + const own = key => utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined; + const data = own('data'); + let withXSRFToken = own('withXSRFToken'); + const xsrfHeaderName = own('xsrfHeaderName'); + const xsrfCookieName = own('xsrfCookieName'); + let headers = own('headers'); + const auth = own('auth'); + const baseURL = own('baseURL'); + const allowAbsoluteUrls = own('allowAbsoluteUrls'); + const url = own('url'); newConfig.headers = headers = AxiosHeaders.from(headers); - newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer); + newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer); // HTTP basic authentication if (auth) { - headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? unescape(encodeURIComponent(auth.password)) : ''))); + headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))); } if (utils$1.isFormData(data)) { if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) { headers.setContentType(undefined); // browser handles it } else if (utils$1.isFunction(data.getHeaders)) { // Node.js FormData (like form-data package) - const formHeaders = data.getHeaders(); - // Only set safe headers to avoid overwriting security headers - const allowedHeaders = ['content-type', 'content-length']; - Object.entries(formHeaders).forEach(([key, val]) => { - if (allowedHeaders.includes(key.toLowerCase())) { - headers.set(key, val); - } - }); + setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy')); } } @@ -198217,9 +199281,15 @@ var resolveConfig = config => { // Specifically not if we're in a web worker, or react-native. if (platform.hasStandardBrowserEnv) { - withXSRFToken && utils$1.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig)); - if (withXSRFToken || withXSRFToken !== false && isURLSameOrigin(newConfig.url)) { - // Add xsrf header + if (utils$1.isFunction(withXSRFToken)) { + withXSRFToken = withXSRFToken(newConfig); + } + + // Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1) + // and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking + // the XSRF token cross-origin. + const shouldSendXSRF = withXSRFToken === true || withXSRFToken == null && isURLSameOrigin(newConfig.url); + if (shouldSendXSRF) { const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName); if (xsrfValue) { headers.set(xsrfHeaderName, xsrfValue); @@ -198295,7 +199365,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // handled by onerror instead // With one exception: request that using file: protocol, most browsers // will return status as 0 even though it's a successful request - if (request.status === 0 && !(request.responseURL && request.responseURL.indexOf('file:') === 0)) { + if (request.status === 0 && !(request.responseURL && request.responseURL.startsWith('file:'))) { return; } // readystate handler is calling before onerror or ontimeout handlers, @@ -198310,6 +199380,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { return; } reject(new AxiosError('Request aborted', AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -198325,6 +199396,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // attach the underlying event for consumers who want details err.event = event || null; reject(err); + done(); request = null; }; @@ -198336,6 +199408,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { timeoutErrorMessage = _config.timeoutErrorMessage; } reject(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -198346,7 +199419,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // Add headers to the request if ('setRequestHeader' in request) { - utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) { + utils$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) { request.setRequestHeader(key, val); }); } @@ -198382,6 +199455,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { } reject(!cancel || cancel.type ? new CanceledError(null, config, request) : cancel); request.abort(); + done(); request = null; }; _config.cancelToken && _config.cancelToken.subscribe(onCanceled); @@ -198390,7 +199464,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { } } const protocol = parseProtocol(_config.url); - if (protocol && platform.protocols.indexOf(protocol) === -1) { + if (protocol && !platform.protocols.includes(protocol)) { reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config)); return; } @@ -198401,41 +199475,41 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { }; const composeSignals = (signals, timeout) => { - const { - length - } = signals = signals ? signals.filter(Boolean) : []; - if (timeout || length) { - let controller = new AbortController(); - let aborted; - const onabort = function (reason) { - if (!aborted) { - aborted = true; - unsubscribe(); - const err = reason instanceof Error ? reason : this.reason; - controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err)); - } - }; - let timer = timeout && setTimeout(() => { - timer = null; - onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT)); - }, timeout); - const unsubscribe = () => { - if (signals) { - timer && clearTimeout(timer); - timer = null; - signals.forEach(signal => { - signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort); - }); - signals = null; - } - }; - signals.forEach(signal => signal.addEventListener('abort', onabort)); - const { - signal - } = controller; - signal.unsubscribe = () => utils$1.asap(unsubscribe); - return signal; + signals = signals ? signals.filter(Boolean) : []; + if (!timeout && !signals.length) { + return; } + const controller = new AbortController(); + let aborted = false; + const onabort = function (reason) { + if (!aborted) { + aborted = true; + unsubscribe(); + const err = reason instanceof Error ? reason : this.reason; + controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err)); + } + }; + let timer = timeout && setTimeout(() => { + timer = null; + onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT)); + }, timeout); + const unsubscribe = () => { + if (!signals) { + return; + } + timer && clearTimeout(timer); + timer = null; + signals.forEach(signal => { + signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort); + }); + signals = null; + }; + signals.forEach(signal => signal.addEventListener('abort', onabort)); + const { + signal + } = controller; + signal.unsubscribe = () => utils$1.asap(unsubscribe); + return signal; }; const streamChunk = function* (chunk, chunkSize) { @@ -198524,17 +199598,6 @@ const DEFAULT_CHUNK_SIZE = 64 * 1024; const { isFunction } = utils$1; -const globalFetchAPI = (({ - Request, - Response -}) => ({ - Request, - Response -}))(utils$1.global); -const { - ReadableStream: ReadableStream$1, - TextEncoder: TextEncoder$1 -} = utils$1.global; const test = (fn, ...args) => { try { return !!fn(...args); @@ -198543,9 +199606,17 @@ const test = (fn, ...args) => { } }; const factory = env => { + const globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis; + const { + ReadableStream, + TextEncoder + } = globalObject; env = utils$1.merge.call({ skipUndefined: true - }, globalFetchAPI, env); + }, { + Request: globalObject.Request, + Response: globalObject.Response + }, env); const { fetch: envFetch, Request, @@ -198557,20 +199628,22 @@ const factory = env => { if (!isFetchSupported) { return false; } - const isReadableStreamSupported = isFetchSupported && isFunction(ReadableStream$1); - const encodeText = isFetchSupported && (typeof TextEncoder$1 === 'function' ? (encoder => str => encoder.encode(str))(new TextEncoder$1()) : async str => new Uint8Array(await new Request(str).arrayBuffer())); + const isReadableStreamSupported = isFetchSupported && isFunction(ReadableStream); + const encodeText = isFetchSupported && (typeof TextEncoder === 'function' ? (encoder => str => encoder.encode(str))(new TextEncoder()) : async str => new Uint8Array(await new Request(str).arrayBuffer())); const supportsRequestStream = isRequestSupported && isReadableStreamSupported && test(() => { let duplexAccessed = false; - const body = new ReadableStream$1(); - const hasContentType = new Request(platform.origin, { - body, + const request = new Request(platform.origin, { + body: new ReadableStream(), method: 'POST', get duplex() { duplexAccessed = true; return 'half'; } - }).headers.has('Content-Type'); - body.cancel(); + }); + const hasContentType = request.headers.has('Content-Type'); + if (request.body != null) { + request.body.cancel(); + } return duplexAccessed && !hasContentType; }); const supportsResponseStream = isResponseSupported && isReadableStreamSupported && test(() => utils$1.isReadableStream(new Response('').body)); @@ -198629,8 +199702,12 @@ const factory = env => { responseType, headers, withCredentials = 'same-origin', - fetchOptions + fetchOptions, + maxContentLength, + maxBodyLength } = resolveConfig(config); + const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1; + const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1; let _fetch = envFetch || fetch; responseType = responseType ? (responseType + '').toLowerCase() : 'text'; let composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout); @@ -198640,6 +199717,26 @@ const factory = env => { }); let requestContentLength; try { + // Enforce maxContentLength for data: URLs up-front so we never materialize + // an oversized payload. The HTTP adapter applies the same check (see http.js + // "if (protocol === 'data:')" branch). + if (hasMaxContentLength && typeof url === 'string' && url.startsWith('data:')) { + const estimated = estimateDataURLDecodedBytes(url); + if (estimated > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } + + // Enforce maxBodyLength against the outbound request body before dispatch. + // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than + // maxBodyLength limit'). Skip when the body length cannot be determined + // (e.g. a live ReadableStream supplied by the caller). + if (hasMaxBodyLength && method !== 'get' && method !== 'head') { + const outboundLength = await resolveBodyLength(headers, data); + if (typeof outboundLength === 'number' && isFinite(outboundLength) && outboundLength > maxBodyLength) { + throw new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request); + } + } if (onUploadProgress && supportsRequestStream && method !== 'get' && method !== 'head' && (requestContentLength = await resolveBodyLength(headers, data)) !== 0) { let _request = new Request(url, { method: 'POST', @@ -198662,32 +199759,82 @@ const factory = env => { // Cloudflare Workers throws when credentials are defined // see https://github.com/cloudflare/workerd/issues/902 const isCredentialsSupported = isRequestSupported && 'credentials' in Request.prototype; + + // If data is FormData and Content-Type is multipart/form-data without boundary, + // delete it so fetch can set it correctly with the boundary + if (utils$1.isFormData(data)) { + const contentType = headers.getContentType(); + if (contentType && /^multipart\/form-data/i.test(contentType) && !/boundary=/i.test(contentType)) { + headers.delete('content-type'); + } + } + + // Set User-Agent header if not already set (fetch defaults to 'node' in Node.js) + headers.set('User-Agent', 'axios/' + VERSION, false); const resolvedOptions = { ...fetchOptions, signal: composedSignal, method: method.toUpperCase(), - headers: headers.normalize().toJSON(), + headers: toByteStringHeaderObject(headers.normalize()), body: data, duplex: 'half', credentials: isCredentialsSupported ? withCredentials : undefined }; request = isRequestSupported && new Request(url, resolvedOptions); let response = await (isRequestSupported ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions)); + + // Cheap pre-check: if the server honestly declares a content-length that + // already exceeds the cap, reject before we start streaming. + if (hasMaxContentLength) { + const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length')); + if (declaredLength != null && declaredLength > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } const isStreamResponse = supportsResponseStream && (responseType === 'stream' || responseType === 'response'); - if (supportsResponseStream && (onDownloadProgress || isStreamResponse && unsubscribe)) { + if (supportsResponseStream && response.body && (onDownloadProgress || hasMaxContentLength || isStreamResponse && unsubscribe)) { const options = {}; ['status', 'statusText', 'headers'].forEach(prop => { options[prop] = response[prop]; }); const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length')); const [onProgress, flush] = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || []; - response = new Response(trackStream(response.body, DEFAULT_CHUNK_SIZE, onProgress, () => { + let bytesRead = 0; + const onChunkProgress = loadedBytes => { + if (hasMaxContentLength) { + bytesRead = loadedBytes; + if (bytesRead > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } + onProgress && onProgress(loadedBytes); + }; + response = new Response(trackStream(response.body, DEFAULT_CHUNK_SIZE, onChunkProgress, () => { flush && flush(); unsubscribe && unsubscribe(); }), options); } responseType = responseType || 'text'; let responseData = await resolvers[utils$1.findKey(resolvers, responseType) || 'text'](response, config); + + // Fallback enforcement for environments without ReadableStream support + // (legacy runtimes). Detect materialized size from typed output; skip + // streams/Response passthrough since the user will read those themselves. + if (hasMaxContentLength && !supportsResponseStream && !isStreamResponse) { + let materializedSize; + if (responseData != null) { + if (typeof responseData.byteLength === 'number') { + materializedSize = responseData.byteLength; + } else if (typeof responseData.size === 'number') { + materializedSize = responseData.size; + } else if (typeof responseData === 'string') { + materializedSize = typeof TextEncoder === 'function' ? new TextEncoder().encode(responseData).byteLength : responseData.length; + } + } + if (typeof materializedSize === 'number' && materializedSize > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } !isStreamResponse && unsubscribe && unsubscribe(); return await new Promise((resolve, reject) => { settle(resolve, reject, { @@ -198701,6 +199848,17 @@ const factory = env => { }); } catch (err) { unsubscribe && unsubscribe(); + + // Safari can surface fetch aborts as a DOMException-like object whose + // branded getters throw. Prefer our composed signal reason before reading + // the caught error, preserving timeout vs cancellation semantics. + if (composedSignal && composedSignal.aborted && composedSignal.reason instanceof AxiosError) { + const canceledError = composedSignal.reason; + canceledError.config = config; + request && (canceledError.request = request); + err !== canceledError && (canceledError.cause = err); + throw canceledError; + } if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) { throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response), { cause: err.cause || err @@ -198755,13 +199913,17 @@ const knownAdapters = { utils$1.forEach(knownAdapters, (fn, value) => { if (fn) { try { + // Null-proto descriptors so a polluted Object.prototype.get cannot turn + // these data descriptors into accessor descriptors on the way in. Object.defineProperty(fn, 'name', { + __proto__: null, value }); } catch (e) { // eslint-disable-next-line no-empty } Object.defineProperty(fn, 'adapterName', { + __proto__: null, value }); } @@ -198876,8 +200038,15 @@ function dispatchRequest(config) { return adapter(config).then(function onAdapterResolution(response) { throwIfCancellationRequested(config); - // Transform response data - response.data = transformData.call(config, config.transformResponse, response); + // Expose the current response on config so that transformResponse can + // attach it to any AxiosError it throws (e.g. on JSON parse failure). + // We clean it up afterwards to avoid polluting the config object. + config.response = response; + try { + response.data = transformData.call(config, config.transformResponse, response); + } finally { + delete config.response; + } response.headers = AxiosHeaders.from(response.headers); return response; }, function onAdapterRejection(reason) { @@ -198886,7 +200055,12 @@ function dispatchRequest(config) { // Transform response data if (reason && reason.response) { - reason.response.data = transformData.call(config, config.transformResponse, reason.response); + config.response = reason.response; + try { + reason.response.data = transformData.call(config, config.transformResponse, reason.response); + } finally { + delete config.response; + } reason.response.headers = AxiosHeaders.from(reason.response.headers); } } @@ -198957,7 +200131,9 @@ function assertOptions(options, schema, allowUnknown) { let i = keys.length; while (i-- > 0) { const opt = keys[i]; - const validator = schema[opt]; + // Use hasOwnProperty so a polluted Object.prototype. cannot supply + // a non-function validator and cause a TypeError. + const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; if (validator) { const value = options[opt]; const result = value === undefined || validator(value, opt, options); @@ -199089,7 +200265,7 @@ class Axios { // Flatten headers let contextHeaders = headers && utils$1.merge(headers.common, headers[config.method]); - headers && utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'common'], method => { + headers && utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query', 'common'], method => { delete headers[method]; }); config.headers = AxiosHeaders.concat(contextHeaders, headers); @@ -199170,7 +200346,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa })); }; }); -utils$1.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) { +utils$1.forEach(['post', 'put', 'patch', 'query'], function forEachMethodWithData(method) { function generateHTTPMethod(isForm) { return function httpMethod(url, data, config) { return this.request(mergeConfig(config || {}, { @@ -199184,7 +200360,12 @@ utils$1.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) }; } Axios.prototype[method] = generateHTTPMethod(); - Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + + // QUERY is a safe/idempotent read method; multipart form bodies don't fit + // its semantics, so no queryForm shorthand is generated. + if (method !== 'query') { + Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + } }); /** @@ -215061,20 +216242,349 @@ class Matcher { return this._view; } } +;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/util.js + + +function safeComment(val) { + return String(val) + .replace(/--/g, '- -') // -- is illegal anywhere in comment content + .replace(/--/g, '- -') // handle the scenario when 2 consiucative dashes appears + .replace(/-$/, '- '); // trailing - would form -- with the closing --> +} + +function safeCdata(val) { + return String(val).replace(/\]\]>/g, ']]]]>') +} + +function escapeAttribute(val) { + return String(val).replace(/"/g, '"').replace(/'/g, ''') +} +;// CONCATENATED MODULE: ./node_modules/xml-naming/src/index.js +/** + * xml-naming + * Validates XML Name productions as defined in the XML 1.0 and 1.1 specifications. + * Covers: Name, NCName, QName, NMToken, NMTokens + * + * XML 1.0 spec: https://www.w3.org/TR/xml/#NT-Name + * XML 1.1 spec: https://www.w3.org/TR/xml11/#NT-NameStartChar + * XML NS spec: https://www.w3.org/TR/xml-names/#NT-NCName + */ + +// --------------------------------------------------------------------------- +// Character class strings — XML 1.0 +// +// NameStartChar ::= ":" | [A-Z] | "_" | [a-z] +// | [#xC0-#xD6] | [#xD8-#xF6] | [#xF8-#x2FF] +// | [#x370-#x37D] | [#x37F-#x1FFF] <- split to exclude #x0487 +// | [#x200C-#x200D] +// | [#x2070-#x218F] | [#x2C00-#x2FEF] +// | [#x3001-#xD7FF] | [#xF900-#xFDCF] | [#xFDF0-#xFFFD] +// +// NameChar ::= NameStartChar | "-" | "." | [0-9] +// | #xB7 | [#x0300-#x036F] | [#x203F-#x2040] +// +// Note: \u0487 (Combining Cyrillic Millions Sign) was added in Unicode 4.0, +// after XML 1.0 was defined against Unicode 2.0. It falls inside the range +// \u037F-\u1FFF but must be excluded. We split that range into +// \u037F-\u0486 and \u0488-\u1FFF to exclude it explicitly. +// --------------------------------------------------------------------------- + +const nameStartChar10 = + ':A-Za-z_' + + '\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF' + + '\u0370-\u037D' + + '\u037F-\u0486\u0488-\u1FFF' + // split to exclude \u0487 + '\u200C-\u200D' + + '\u2070-\u218F' + + '\u2C00-\u2FEF' + + '\u3001-\uD7FF' + + '\uF900-\uFDCF' + + '\uFDF0-\uFFFD'; + +const nameChar10 = + nameStartChar10 + + '\\-\\.\\d' + + '\u00B7' + + '\u0300-\u036F' + + '\u203F-\u2040'; + +// --------------------------------------------------------------------------- +// Character class strings — XML 1.1 +// +// Differences from XML 1.0: +// +// NameStartChar: +// 1.0 has split ranges: \u00C0-\u00D6, \u00D8-\u00F6, \u00F8-\u02FF +// 1.1 merges them into: \u00C0-\u02FF +// (\u00D7 x and \u00F7 / are division symbols, excluded in both versions) +// +// 1.0 tops out at \uFFFD (BMP only) +// 1.1 adds \u{10000}-\u{EFFFF} (supplementary planes) +// These require the /u flag on the RegExp — see buildRegexes below. +// +// NameChar: +// 1.1 adds \u0487 (Combining Cyrillic Millions Sign, added in Unicode 4.0) +// --------------------------------------------------------------------------- + +const nameStartChar11 = + ':A-Za-z_' + + '\u00C0-\u02FF' + // merged — 1.0 had three split ranges here + '\u0370-\u037D' + + '\u037F-\u0486\u0488-\u1FFF' + // split to exclude \u0487 (combining mark, never a NameStartChar) + '\u200C-\u200D' + + '\u2070-\u218F' + + '\u2C00-\u2FEF' + + '\u3001-\uD7FF' + + '\uF900-\uFDCF' + + '\uFDF0-\uFFFD' + + '\u{10000}-\u{EFFFF}'; // supplementary planes — REQUIRES /u flag on RegExp + +const nameChar11 = + nameStartChar11 + + '\\-\\.\\d' + + '\u00B7' + + '\u0300-\u036F' + + '\u0487' + // Combining Cyrillic Millions Sign — valid in 1.1, not 1.0 + '\u203F-\u2040'; + +// --------------------------------------------------------------------------- +// Regex builders +// +// XML 1.0 regexes: no flags — BMP only, standard JS regex behaviour. +// XML 1.1 regexes: /u flag — required for \u{10000}-\u{EFFFF} to match actual +// supplementary code points rather than lone surrogates (which are illegal XML). +// --------------------------------------------------------------------------- + +const buildRegexes = (startChar, char, flags = '') => { + const ncStart = startChar.replace(':', ''); + const ncChar = char.replace(':', ''); + const ncNamePat = `[${ncStart}][${ncChar}]*`; + + return { + name: new RegExp(`^[${startChar}][${char}]*$`, flags), + ncName: new RegExp(`^${ncNamePat}$`, flags), + qName: new RegExp(`^${ncNamePat}(?::${ncNamePat})?$`, flags), + nmToken: new RegExp(`^[${char}]+$`, flags), + nmTokens: new RegExp(`^[${char}]+(?:\\s+[${char}]+)*$`, flags), + }; +}; + +const regexes10 = buildRegexes(nameStartChar10, nameChar10); // no /u — BMP only +const regexes11 = buildRegexes(nameStartChar11, nameChar11, 'u'); // /u — enables \u{10000}-\u{EFFFF} + +const getRegexes = (xmlVersion = '1.0') => + xmlVersion === '1.1' ? regexes11 : regexes10; + +// --------------------------------------------------------------------------- +// Boolean validators +// --------------------------------------------------------------------------- + +/** + * Returns true if the string is a valid XML Name. + * Colons are allowed anywhere (Name production). + * Used for: DOCTYPE entity names, notation names, DTD element declarations. + */ +const src_name = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).name.test(str); + +/** + * Returns true if the string is a valid NCName (Non-Colonized Name). + * Colons are not permitted. + * Used for: namespace prefixes, local names, SVG id attributes. + */ +const ncName = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).ncName.test(str); + +/** + * Returns true if the string is a valid QName (Qualified Name). + * Allows exactly one colon as a prefix separator: prefix:localName. + * Used for: element and attribute names in namespace-aware XML/SVG. + */ +const qName = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).qName.test(str); + +/** + * Returns true if the string is a valid NMToken. + * Like Name but no restriction on the first character. + * Used for: DTD NMTOKEN attribute values. + */ +const nmToken = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).nmToken.test(str); + +/** + * Returns true if the string is a valid NMTokens value. + * A whitespace-separated list of NMToken values. + * Used for: DTD NMTOKENS attribute values. + */ +const nmTokens = (str, { xmlVersion = '1.0' } = {}) => + getRegexes(xmlVersion).nmTokens.test(str); + +// --------------------------------------------------------------------------- +// Diagnostic validator +// --------------------------------------------------------------------------- + +const PRODUCTIONS = (/* unused pure expression or super */ null && (['name', 'ncName', 'qName', 'nmToken', 'nmTokens'])); + +/** + * Validates a string against a named production and returns a detailed result. + * + * @param {string} str + * @param {'name'|'ncName'|'qName'|'nmToken'|'nmTokens'} production + * @param {{ xmlVersion?: '1.0'|'1.1' }} [opts] + * @returns {{ valid: boolean, production: string, input: string, reason?: string, position?: number }} + */ +const validate = (str, production, { xmlVersion = '1.0' } = {}) => { + if (!PRODUCTIONS.includes(production)) { + throw new TypeError( + `Unknown production "${production}". Must be one of: ${PRODUCTIONS.join(', ')}` + ); + } + + const validators = { name: src_name, ncName, qName, nmToken, nmTokens }; + const isValid = validators[production](str, { xmlVersion }); + + if (isValid) return { valid: true, production, input: str }; + + let reason = 'Does not match the production rules'; + let position; + + if (str.length === 0) { + reason = 'Input is empty'; + } else if (production === 'ncName' && str.includes(':')) { + position = str.indexOf(':'); + reason = 'Colon is not allowed in NCName'; + } else if (production === 'qName' && str.startsWith(':')) { + reason = 'QName cannot start with a colon'; + position = 0; + } else if (production === 'qName' && str.endsWith(':')) { + reason = 'QName cannot end with a colon'; + position = str.length - 1; + } else if (production === 'qName' && (str.match(/:/g) || []).length > 1) { + reason = 'QName can have at most one colon'; + position = str.lastIndexOf(':'); + } else if ( + ['name', 'ncName', 'qName'].includes(production) && + !/^[:A-Za-z_\u00C0-\uFFFD]/.test(str[0]) + ) { + reason = `First character "${str[0]}" is not a valid NameStartChar`; + position = 0; + } else { + for (let i = 0; i < str.length; i++) { + if (!/[\w\-\\.:\u00B7\u00C0-\uFFFD]/.test(str[i])) { + reason = `Character "${str[i]}" at position ${i} is not a valid NameChar`; + position = i; + break; + } + } + } + + return { valid: false, production, input: str, reason, position }; +}; + +// --------------------------------------------------------------------------- +// Batch validator +// --------------------------------------------------------------------------- + +/** + * Validates an array of strings against a named production. + * + * @param {string[]} strings + * @param {'name'|'ncName'|'qName'|'nmToken'|'nmTokens'} production + * @param {{ xmlVersion?: '1.0'|'1.1' }} [opts] + * @returns {Array<{ valid: boolean, production: string, input: string, reason?: string, position?: number }>} + */ +const validateAll = (strings, production, opts = {}) => + strings.map(str => validate(str, production, opts)); + +// --------------------------------------------------------------------------- +// Sanitizer +// --------------------------------------------------------------------------- + +/** + * Transforms an invalid string into the nearest valid XML name for the given production. + * + * @param {string} str + * @param {'name'|'ncName'|'qName'|'nmToken'|'nmTokens'} production + * @param {{ replacement?: string }} [opts] + * @returns {string} + */ +const sanitize = (str, production = 'name', { replacement = '_' } = {}) => { + if (!str) return replacement; + + let result = str; + + // Strip colons for NCName + if (production === 'ncName') { + result = result.replace(/:/g, ''); + } + + // Replace illegal characters + result = result.replace(/[^\w\-\.:\u00B7\u00C0-\uFFFD]/g, replacement); + + // Fix invalid start character for Name / NCName / QName + if (production !== 'nmToken' && production !== 'nmTokens') { + if (/^[\-\.\d]/.test(result)) { + result = replacement + result; + } + } + + return result || replacement; +}; ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/orderedJs2Xml.js + + const EOL = "\n"; /** - * - * @param {array} jArray - * @param {any} options - * @returns + * Detect XML version from the first element of the ordered array input. + * The first element must be a ?xml processing instruction with a version attribute. + * Returns '1.0' if not found. + * + * @param {array} jArray + * @param {object} options + */ +function detectXmlVersionFromArray(jArray, options) { + if (!Array.isArray(jArray) || jArray.length === 0) return '1.0'; + const first = jArray[0]; + const firstKey = propName(first); + if (firstKey === '?xml') { + const attrs = first[':@']; + if (attrs) { + const versionKey = options.attributeNamePrefix + 'version'; + if (attrs[versionKey]) return attrs[versionKey]; + } + } + return '1.0'; +} + +/** + * Resolve a tag or attribute name through sanitizeName if configured. + * Validation via xml-naming's qName is performed first; the sanitizeName + * callback is invoked only when the name is invalid. If sanitizeName is + * false (default), no validation occurs and the name is used as-is. + * + * @param {string} name - raw name from the JS object + * @param {boolean} isAttribute - true when resolving an attribute name + * @param {object} options + * @param {Matcher} matcher - current matcher state (readonly from callback perspective) + * @param {string} xmlVersion - '1.0' or '1.1', forwarded to xml-naming + */ +function resolveTagName(name, isAttribute, options, matcher, xmlVersion) { + if (!options.sanitizeName) return name; + if (qName(name, { xmlVersion })) return name; + return options.sanitizeName(name, { isAttribute, matcher: matcher.readOnly() }); +} + +/** + * @param {array} jArray + * @param {any} options + * @returns */ function toXml(jArray, options) { let indentation = ""; - if (options.format && options.indentBy.length > 0) { + if (options.format) { indentation = EOL; } @@ -215091,13 +216601,16 @@ function toXml(jArray, options) { } } + // Detect XML version for use in name validation + const xmlVersion = detectXmlVersionFromArray(jArray, options); + // Initialize matcher for path tracking const matcher = new Matcher(); - return arrToStr(jArray, options, indentation, matcher, stopNodeExpressions); + return arrToStr(jArray, options, indentation, matcher, stopNodeExpressions, xmlVersion); } -function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { +function arrToStr(arr, options, indentation, matcher, stopNodeExpressions, xmlVersion) { let xmlStr = ""; let isPreviousElementTag = false; @@ -215117,20 +216630,32 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { for (let i = 0; i < arr.length; i++) { const tagObj = arr[i]; - const tagName = propName(tagObj); - if (tagName === undefined) continue; + const rawTagName = propName(tagObj); + if (rawTagName === undefined) continue; + + // Special names are exempt from sanitizeName: internal conventions and PI tags + // are not user-supplied XML element names. + const isSpecialName = rawTagName === options.textNodeName + || rawTagName === options.cdataPropName + || rawTagName === options.commentPropName + || rawTagName[0] === '?'; + + // Resolve tag name (may transform it; may throw for invalid names) + const tagName = isSpecialName + ? rawTagName + : resolveTagName(rawTagName, false, options, matcher, xmlVersion); // Extract attributes from ":@" property const attrValues = extractAttributeValues(tagObj[":@"], options); - // Push tag to matcher WITH attributes + // Push resolved tag to matcher WITH attributes matcher.push(tagName, attrValues); // Check if this is a stop node using Expression matching const isStopNode = checkStopNode(matcher, stopNodeExpressions); if (tagName === options.textNodeName) { - let tagText = tagObj[tagName]; + let tagText = tagObj[rawTagName]; if (!isStopNode) { tagText = options.tagValueProcessor(tagName, tagText); tagText = replaceEntitiesValue(tagText, options); @@ -215146,27 +216671,25 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { if (isPreviousElementTag) { xmlStr += indentation; } - const val = tagObj[tagName][0][options.textNodeName]; - const safeVal = String(val).replace(/\]\]>/g, ']]]]>'); + const val = tagObj[rawTagName][0][options.textNodeName]; + const safeVal = safeCdata(val); xmlStr += ``; isPreviousElementTag = false; matcher.pop(); continue; } else if (tagName === options.commentPropName) { - const val = tagObj[tagName][0][options.textNodeName] - const safeVal = String(val) - .replace(/--/g, '- -') // -- is illegal anywhere in comment content - .replace(/-$/, '- '); // trailing - would form -- with the closing --> + const val = tagObj[rawTagName][0][options.textNodeName]; + const safeVal = safeComment(val); xmlStr += indentation + ``; isPreviousElementTag = true; matcher.pop(); continue; } else if (tagName[0] === "?") { - const attStr = attr_to_str(tagObj[":@"], options, isStopNode); + const attStr = attr_to_str(tagObj[":@"], options, isStopNode, matcher, xmlVersion); const tempInd = tagName === "?xml" ? "" : indentation; - let piTextNodeName = tagObj[tagName][0][options.textNodeName]; - piTextNodeName = piTextNodeName.length !== 0 ? " " + piTextNodeName : ""; //remove extra spacing - xmlStr += tempInd + `<${tagName}${piTextNodeName}${attStr}?>`; + // Text node content on PI/XML declaration tags is intentionally ignored. + // Only attributes are valid on these tags per the XML spec. + xmlStr += tempInd + `<${tagName}${attStr}?>`; isPreviousElementTag = true; matcher.pop(); continue; @@ -215178,16 +216701,15 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { } // Pass isStopNode to attr_to_str so attributes are also not processed for stopNodes - const attStr = attr_to_str(tagObj[":@"], options, isStopNode); + const attStr = attr_to_str(tagObj[":@"], options, isStopNode, matcher, xmlVersion); const tagStart = indentation + `<${tagName}${attStr}`; // If this is a stopNode, get raw content without processing let tagValue; if (isStopNode) { - tagValue = orderedJs2Xml_getRawContent(tagObj[tagName], options); + tagValue = orderedJs2Xml_getRawContent(tagObj[rawTagName], options); } else { - - tagValue = arrToStr(tagObj[tagName], options, newIdentation, matcher, stopNodeExpressions); + tagValue = arrToStr(tagObj[rawTagName], options, newIdentation, matcher, stopNodeExpressions, xmlVersion); } if (options.unpairedTags.indexOf(tagName) !== -1) { @@ -215231,7 +216753,7 @@ function extractAttributeValues(attrMap, options) { const cleanAttrName = attr.startsWith(options.attributeNamePrefix) ? attr.substr(options.attributeNamePrefix.length) : attr; - attrValues[cleanAttrName] = attrMap[attr]; + attrValues[cleanAttrName] = escapeAttribute(attrMap[attr]); hasAttrs = true; } @@ -215269,9 +216791,7 @@ function orderedJs2Xml_getRawContent(arr, options) { // Processing instruction - skip for stopNodes continue; } else if (tagName) { - // Nested tags within stopNode - // Recursively get raw content and reconstruct the tag - // For stopNodes, we don't process attributes either + // Nested tags within stopNode — no sanitizeName, content is raw const attStr = attr_to_str_raw(item[":@"], options); const nestedContent = orderedJs2Xml_getRawContent(item[tagName], options); @@ -215298,7 +216818,7 @@ function attr_to_str_raw(attrMap, options) { if (attrVal === true && options.suppressBooleanAttributes) { attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}`; } else { - attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}="${attrVal}"`; + attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}="${escapeAttribute(attrVal)}"`; } } } @@ -215314,13 +216834,23 @@ function propName(obj) { } } -function attr_to_str(attrMap, options, isStopNode) { +/** + * Build attribute string, resolving attribute names through sanitizeName when configured. + * Accepts matcher so the callback has path context. + */ +function attr_to_str(attrMap, options, isStopNode, matcher, xmlVersion) { let attrStr = ""; if (attrMap && !options.ignoreAttributes) { for (let attr in attrMap) { if (!Object.prototype.hasOwnProperty.call(attrMap, attr)) continue; - let attrVal; + // Strip prefix to get the clean XML attribute name, then optionally sanitize it + const cleanAttrName = attr.substr(options.attributeNamePrefix.length); + const resolvedAttrName = isStopNode + ? cleanAttrName // stopNodes are raw — skip sanitizeName for attr names too + : resolveTagName(cleanAttrName, true, options, matcher, xmlVersion); + + let attrVal; if (isStopNode) { // For stopNodes, use raw value without any processing attrVal = attrMap[attr]; @@ -215331,9 +216861,9 @@ function attr_to_str(attrMap, options, isStopNode) { } if (attrVal === true && options.suppressBooleanAttributes) { - attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}`; + attrStr += ` ${resolvedAttrName}`; } else { - attrStr += ` ${attr.substr(options.attributeNamePrefix.length)}="${attrVal}"`; + attrStr += ` ${resolvedAttrName}="${escapeAttribute(attrVal)}"`; } } } @@ -215360,14 +216890,6 @@ function replaceEntitiesValue(textValue, options) { } return textValue; } - -function cdataVal(val) { - -} - -function commentVal(val) { - -} ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/ignoreAttributes.js function getIgnoreAttributesFn(ignoreAttributes) { if (typeof ignoreAttributes === 'function') { @@ -215394,6 +216916,8 @@ function getIgnoreAttributesFn(ignoreAttributes) { + + const defaultOptions = { attributeNamePrefix: '@_', attributesGroupName: false, @@ -215427,7 +216951,11 @@ const defaultOptions = { // transformAttributeName: false, oneListGroup: false, maxNestedTags: 100, - jPath: true // When true, callbacks receive string jPath; when false, receive Matcher instance + jPath: true, // When true, callbacks receive string jPath; when false, receive Matcher instance + sanitizeName: false // false = allow all names as-is (default, backward-compatible). + // Set to a function (name, { isAttribute, matcher }) => string to + // validate/sanitize tag and attribute names. Throw inside the function + // to reject an invalid name. }; function Builder(options) { @@ -215484,6 +217012,44 @@ function Builder(options) { } } +/** + * Detect XML version from the ?xml declaration at the root of a plain-object input. + * Checks both attributesGroupName and flat attribute forms. + * Returns '1.0' if no declaration is found. + */ +function detectXmlVersionFromObj(jObj, options) { + const decl = jObj['?xml']; + if (decl && typeof decl === 'object') { + // attributesGroupName path e.g. { '$$': { '@_version': '1.1' } } + if (options.attributesGroupName && decl[options.attributesGroupName]) { + const v = decl[options.attributesGroupName][options.attributeNamePrefix + 'version']; + if (v) return v; + } + // flat attribute path e.g. { '@_version': '1.1' } + const v = decl[options.attributeNamePrefix + 'version']; + if (v) return v; + } + return '1.0'; +} + +/** + * Resolve a tag or attribute name through sanitizeName if configured. + * Validation via xml-naming's qName is performed first; the sanitizeName + * callback is invoked only when the name is invalid. If sanitizeName is + * false (default), no validation occurs and the name is used as-is. + * + * @param {string} name - raw name from the JS object + * @param {boolean} isAttribute - true when resolving an attribute name + * @param {object} options + * @param {Matcher} matcher - current matcher state (readonly from callback perspective) + * @param {string} xmlVersion - '1.0' or '1.1', forwarded to xml-naming + */ +function fxb_resolveTagName(name, isAttribute, options, matcher, xmlVersion) { + if (!options.sanitizeName) return name; + if (qName(name, { xmlVersion })) return name; + return options.sanitizeName(name, { isAttribute, matcher: matcher.readOnly() }); +} + Builder.prototype.build = function (jObj) { if (this.options.preserveOrder) { return toXml(jObj, this.options); @@ -215495,11 +217061,12 @@ Builder.prototype.build = function (jObj) { } // Initialize matcher for path tracking const matcher = new Matcher(); - return this.j2x(jObj, 0, matcher).val; + const xmlVersion = detectXmlVersionFromObj(jObj, this.options); + return this.j2x(jObj, 0, matcher, xmlVersion).val; } }; -Builder.prototype.j2x = function (jObj, level, matcher) { +Builder.prototype.j2x = function (jObj, level, matcher, xmlVersion) { let attrStr = ''; let val = ''; if (this.options.maxNestedTags && matcher.getDepth() >= this.options.maxNestedTags) { @@ -215513,6 +217080,22 @@ Builder.prototype.j2x = function (jObj, level, matcher) { for (let key in jObj) { if (!Object.prototype.hasOwnProperty.call(jObj, key)) continue; + + // Resolve the key through sanitizeName before any use. + // Special keys (textNodeName, cdataPropName, commentPropName, attributeNamePrefix, + // attributesGroupName, "?" PI tags) are exempt — they are builder-internal conventions, + // not user-supplied XML names. + const isSpecialKey = key === this.options.textNodeName + || key === this.options.cdataPropName + || key === this.options.commentPropName + || (this.options.attributesGroupName && key === this.options.attributesGroupName) + || this.isAttribute(key) + || key[0] === '?'; + + const resolvedKey = isSpecialKey + ? key + : fxb_resolveTagName(key, false, this.options, matcher, xmlVersion); + if (typeof jObj[key] === 'undefined') { // supress undefined node only if it is not an attribute if (this.isAttribute(key)) { @@ -215522,21 +217105,22 @@ Builder.prototype.j2x = function (jObj, level, matcher) { // null attribute should be ignored by the attribute list, but should not cause the tag closing if (this.isAttribute(key)) { val += ''; - } else if (key === this.options.cdataPropName) { + } else if (resolvedKey === this.options.cdataPropName || resolvedKey === this.options.commentPropName) { val += ''; - } else if (key[0] === '?') { - val += this.indentate(level) + '<' + key + '?' + this.tagEndChar; + } else if (resolvedKey[0] === '?') { + val += this.indentate(level) + '<' + resolvedKey + '?' + this.tagEndChar; } else { - val += this.indentate(level) + '<' + key + '/' + this.tagEndChar; + val += this.indentate(level) + '<' + resolvedKey + '/' + this.tagEndChar; } - // val += this.indentate(level) + '<' + key + '/' + this.tagEndChar; } else if (jObj[key] instanceof Date) { - val += this.buildTextValNode(jObj[key], key, '', level, matcher); + val += this.buildTextValNode(jObj[key], resolvedKey, '', level, matcher); } else if (typeof jObj[key] !== 'object') { //premitive type const attr = this.isAttribute(key); if (attr && !this.ignoreAttributesFn(attr, jPath)) { - attrStr += this.buildAttrPairStr(attr, '' + jObj[key], isCurrentStopNode); + // Resolve the attribute name through sanitizeName + const resolvedAttr = fxb_resolveTagName(attr, true, this.options, matcher, xmlVersion); + attrStr += this.buildAttrPairStr(resolvedAttr, '' + jObj[key], isCurrentStopNode); } else if (!attr) { //tag value if (key === this.options.textNodeName) { @@ -215544,7 +217128,7 @@ Builder.prototype.j2x = function (jObj, level, matcher) { val += this.replaceEntitiesValue(newval); } else { // Check if this is a stopNode before building - matcher.push(key); + matcher.push(resolvedKey); const isStopNode = this.checkStopNode(matcher); matcher.pop(); @@ -215552,12 +217136,12 @@ Builder.prototype.j2x = function (jObj, level, matcher) { // Build as raw content without encoding const textValue = '' + jObj[key]; if (textValue === '') { - val += this.indentate(level) + '<' + key + this.closeTag(key) + this.tagEndChar; + val += this.indentate(level) + '<' + resolvedKey + this.closeTag(resolvedKey) + this.tagEndChar; } else { - val += this.indentate(level) + '<' + key + '>' + textValue + '' + textValue + '' + textValue + '' + textValue + '/g, ']]]]>'); + const safeVal = safeCdata(val); return this.indentate(level) + `` + this.newLine; } else if (this.options.commentPropName !== false && key === this.options.commentPropName) { - const safeVal = String(val) - .replace(/--/g, '- -') // -- is illegal anywhere in comment content - .replace(/-$/, '- '); // trailing - would form -- with the closing --> + const safeVal = safeComment(val); return this.indentate(level) + `` + this.newLine; } else if (key[0] === "?") {//PI tag return this.indentate(level) + '<' + key + attrStr + '?' + this.tagEndChar; @@ -216001,7 +217589,7 @@ const validator_defaultOptions = { }; //const tagsPattern = new RegExp("<\\/?([\\w:\\-_\.]+)\\s*\/?>","g"); -function validate(xmlData, options) { +function validator_validate(xmlData, options) { options = Object.assign({}, validator_defaultOptions, options); //xmlData = xmlData.replace(/(\r\n|\n|\r)/gm,"");//make it single line @@ -216425,7 +218013,7 @@ function getPositionFromMatch(match) { const XMLValidator = { - validate: validate + validate: validator_validate } ;// CONCATENATED MODULE: ./node_modules/fast-xml-parser/src/xmlparser/OptionsBuilder.js @@ -220200,7 +221788,7 @@ class XMLParser { if (validationOption) { if (validationOption === true) validationOption = {}; //validate with default options - const result = validate(xmlData, validationOption); + const result = validator_validate(xmlData, validationOption); if (result !== true) { throw Error(`${result.err.msg}:${result.err.line}:${result.err.col}`) } diff --git a/package-lock.json b/package-lock.json index ed83cbc..4d61754 100644 --- a/package-lock.json +++ b/package-lock.json @@ -849,9 +849,9 @@ } }, "node_modules/@tootallnate/once": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz", - "integrity": "sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.1.tgz", + "integrity": "sha512-HqmEUIGRJ5fSXchkVgR5F7qn48bDBzv0kWj/Kfu5e6uci4UlEeng4331LnBkWffb++Ei3FOVLxo8JJWMFBDMeQ==", "license": "MIT", "engines": { "node": ">= 10" @@ -957,16 +957,29 @@ "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/axios": { - "version": "1.15.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz", - "integrity": "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==", + "version": "1.16.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.16.1.tgz", + "integrity": "sha512-caYkukvroVPO8KrzuJEb50Hm07KwfBZPEC3VeFHTsqWHvKTsy54hjJz9BS/cdaypROE2rH6xvm9mHX4fgWkr3A==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.11", + "follow-redirects": "^1.16.0", "form-data": "^4.0.5", + "https-proxy-agent": "^5.0.1", "proxy-from-env": "^2.1.0" } }, + "node_modules/axios/node_modules/agent-base": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz", + "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==", + "license": "MIT", + "dependencies": { + "debug": "4" + }, + "engines": { + "node": ">= 6.0.0" + } + }, "node_modules/axios/node_modules/form-data": { "version": "4.0.5", "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", @@ -983,6 +996,19 @@ "node": ">= 6" } }, + "node_modules/axios/node_modules/https-proxy-agent": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz", + "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==", + "license": "MIT", + "dependencies": { + "agent-base": "6", + "debug": "4" + }, + "engines": { + "node": ">= 6" + } + }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", @@ -1211,9 +1237,9 @@ "license": "MIT" }, "node_modules/fast-xml-builder": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", - "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz", + "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==", "funding": [ { "type": "github", @@ -1222,7 +1248,8 @@ ], "license": "MIT", "dependencies": { - "path-expression-matcher": "^1.1.3" + "path-expression-matcher": "^1.5.0", + "xml-naming": "^0.1.0" } }, "node_modules/fast-xml-parser": { @@ -1969,6 +1996,21 @@ "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", "license": "ISC" }, + "node_modules/xml-naming": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz", + "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/NaturalIntelligence" + } + ], + "license": "MIT", + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/xml2js": { "version": "0.5.0", "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz",