hiderfong/prop-data-guard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1773bda06bb3df3663164b68169029fa33fb5253
prop-data-guard/frontend/node_modules/axios/lib/helpers/resolveConfig.js
T
hiderfong 1773bda06b feat: initial commit - Phase 1 & 2 core features
2026-04-22 17:07:33 +08:00

91 lines
3.0 KiB
JavaScript
Raw Blame History

import platform from '../platform/index.js';
import utils from '../utils.js';
import isURLSameOrigin from './isURLSameOrigin.js';
import cookies from './cookies.js';
import buildFullPath from '../core/buildFullPath.js';
import mergeConfig from '../core/mergeConfig.js';
import AxiosHeaders from '../core/AxiosHeaders.js';
import buildURL from './buildURL.js';
export default (config) => {
const newConfig = mergeConfig({}, config);
// Read only own properties to prevent prototype pollution gadgets
// (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.
const own = (key) => (utils.hasOwnProp(newConfig, key) ? newConfig[key] : undefined);
const data = own('data');
let withXSRFToken = own('withXSRFToken');
const xsrfHeaderName = own('xsrfHeaderName');
const xsrfCookieName = own('xsrfCookieName');
let headers = own('headers');
const auth = own('auth');
const baseURL = own('baseURL');
const allowAbsoluteUrls = own('allowAbsoluteUrls');
const url = own('url');
newConfig.headers = headers = AxiosHeaders.from(headers);
newConfig.url = buildURL(
buildFullPath(baseURL, url, allowAbsoluteUrls),
config.params,
config.paramsSerializer
);
// HTTP basic authentication
if (auth) {
headers.set(
'Authorization',
'Basic ' +
btoa(
(auth.username || '') +
':' +
(auth.password ? unescape(encodeURIComponent(auth.password)) : '')
)
);
}
if (utils.isFormData(data)) {
if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
headers.setContentType(undefined); // browser handles it
} else if (utils.isFunction(data.getHeaders)) {
// Node.js FormData (like form-data package)
const formHeaders = data.getHeaders();
// Only set safe headers to avoid overwriting security headers
const allowedHeaders = ['content-type', 'content-length'];
Object.entries(formHeaders).forEach(([key, val]) => {
if (allowedHeaders.includes(key.toLowerCase())) {
headers.set(key, val);
}
});
}
}
// Add xsrf header
// This is only done if running in a standard browser environment.
// Specifically not if we're in a web worker, or react-native.
if (platform.hasStandardBrowserEnv) {
if (utils.isFunction(withXSRFToken)) {
withXSRFToken = withXSRFToken(newConfig);
}
// Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1)
// and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking
// the XSRF token cross-origin. See GHSA-xx6v-rp6x-q39c.
const shouldSendXSRF =
withXSRFToken === true ||
(withXSRFToken == null && isURLSameOrigin(newConfig.url));
if (shouldSendXSRF) {
const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);
if (xsrfValue) {
headers.set(xsrfHeaderName, xsrfValue);
}
}
}
return newConfig;
};
Reference in New Issue View Git Blame Copy Permalink