mirrors/axios
2
0
Fork 0
mirror of https://github.com/tenrok/axios.git synced 2026-06-20 20:00:40 +03:00
Code Activity

fix(node): enforce maxContentLength for data: URLs (#7011)

Browse Source 
* fix(node): enforce maxContentLength for data: URLs (pre-decode size check)- CVE-2025-58754

* feat(utils): add estimateDataURLDecodedBytes helper and fix duplicate condition in base64 padding check

* feat: add estimateDataURLDecodedBytes helper with tests
This commit is contained in:
Ameer Assadi
2025-09-10 16:08:43 +03:00
committed by GitHub
parent 28e5e3016d
commit 945435fc51
4 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/adapters/http.js
+18
View File
@@ -25,6 +25,7 @@ import readBlob from "../helpers/readBlob.js";
import ZlibHeaderTransformStream from '../helpers/ZlibHeaderTransformStream.js';
import callbackify from "../helpers/callbackify.js";
import {progressEventReducer, progressEventDecorator, asyncDecorator} from "../helpers/progressEventReducer.js";
import estimateDataURLDecodedBytes from '../helpers/estimateDataURLDecodedBytes.js';
const zlibOptions = {
flush: zlib.constants.Z_SYNC_FLUSH,
@@ -46,6 +47,7 @@ const supportedProtocols = platform.protocols.map(protocol => {
return protocol + ':';
});
const flushOnFinish = (stream, [throttled, flush]) => {
stream
.on('end', flush)
@@ -54,6 +56,7 @@ const flushOnFinish = (stream, [throttled, flush]) => {
return throttled;
}
/**
* If the proxy or config beforeRedirects functions are defined, call them with the options
* object.
@@ -233,6 +236,21 @@ export default isHttpAdapterSupported && function httpAdapter(config) {
const protocol = parsed.protocol || supportedProtocols[0];
if (protocol === 'data:') {
// Apply the same semantics as HTTP: only enforce if a finite, non-negative cap is set.
if (config.maxContentLength > -1) {
// Use the exact string passed to fromDataURI (config.url); fall back to fullPath if needed.
const dataUrl = String(config.url || fullPath || '');
const estimated = estimateDataURLDecodedBytes(dataUrl);
if (estimated > config.maxContentLength) {
return reject(new AxiosError(
'maxContentLength size of ' + config.maxContentLength + ' exceeded',
AxiosError.ERR_BAD_RESPONSE,
config
));
}
}
let convertedData;
if (method !== 'GET') {