fix(security): ignore inherited parseReviver and related config reads

2026-06-17 19:21:29 +03:00 · 2026-04-18 15:14:42 +02:00
parent 17b90d0be6
commit 70302b6c90
1 changed files with 13 additions and 8 deletions
@@ -8,6 +8,8 @@ import toURLEncodedForm from '../helpers/toURLEncodedForm.js';
 import platform from '../platform/index.js';
 import formDataToJSON from '../helpers/formDataToJSON.js';

+const own = (obj, key) => (obj != null && utils.hasOwnProp(obj, key) ? obj[key] : undefined);
+
 /**
 * It takes a string, tries to parse it, and if it fails, it returns the stringified version
 * of the input
@@ -75,20 +77,22 @@ const defaults = {
      let isFileList;

      if (isObjectPayload) {
+        const formSerializer = own(this, 'formSerializer');
        if (contentType.indexOf('application/x-www-form-urlencoded') > -1) {
-          return toURLEncodedForm(data, this.formSerializer).toString();
+          return toURLEncodedForm(data, formSerializer).toString();
        }

        if (
          (isFileList = utils.isFileList(data)) ||
          contentType.indexOf('multipart/form-data') > -1
        ) {
-          const _FormData = this.env && this.env.FormData;
+          const env = own(this, 'env');
+          const _FormData = env && env.FormData;

          return toFormData(
            isFileList ? { 'files[]': data } : data,
            _FormData && new _FormData(),
-            this.formSerializer
+            formSerializer
          );
        }
      }
@@ -104,9 +108,10 @@ const defaults = {

  transformResponse: [
    function transformResponse(data) {
-      const transitional = this.transitional || defaults.transitional;
+      const transitional = own(this, 'transitional') || defaults.transitional;
      const forcedJSONParsing = transitional && transitional.forcedJSONParsing;
-      const JSONRequested = this.responseType === 'json';
+      const responseType = own(this, 'responseType');
+      const JSONRequested = responseType === 'json';

      if (utils.isResponse(data) || utils.isReadableStream(data)) {
        return data;
@@ -115,17 +120,17 @@ const defaults = {
      if (
        data &&
        utils.isString(data) &&
-        ((forcedJSONParsing && !this.responseType) || JSONRequested)
+        ((forcedJSONParsing && !responseType) || JSONRequested)
      ) {
        const silentJSONParsing = transitional && transitional.silentJSONParsing;
        const strictJSONParsing = !silentJSONParsing && JSONRequested;

        try {
-          return JSON.parse(data, this.parseReviver);
+          return JSON.parse(data, own(this, 'parseReviver'));
        } catch (e) {
          if (strictJSONParsing) {
            if (e.name === 'SyntaxError') {
-              throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, this.response);
+              throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, own(this, 'response'));
            }
            throw e;
          }