mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
TomTensor
78e8dcf875
* fix(security): harden prototype pollution protection in formDataToJSON Replace falsy check with hasOwnProp in the intermediate-path branch of formDataToJSON's buildPath to prevent write-through into inherited objects. Without this patch, if Object.prototype is already polluted (e.g. via a third-party library or earlier vulnerability), user-supplied FormData paths like 'injected.hijack' traverse the inherited object and mutate Object.prototype in place. With hasOwnProp, the inherited slot is shadowed by a new own property, keeping writes local to the result. This is defense-in-depth: the existing __proto__ guard blocks direct prototype injection, while this change prevents exploitation of an already-polluted prototype chain. Closes #7209 * test(security): use defineProperty + toBe in prototype-pollution regression test --------- Co-authored-by: tommyhgunz14 <tommyhgunz14@users.noreply.github.com> Co-authored-by: Jay <jasonsaayman@gmail.com>
axios // helpers
The modules found in helpers/ should be generic modules that are not specific to the domain logic of axios. These modules could theoretically be published to npm on their own and consumed by other modules or apps. Some examples of generic modules are things like:
- Browser polyfills
- Managing cookies
- Parsing HTTP headers