File Explorer

/proc/self/root/var/runtime/node_modules/@aws-sdk/node_modules/axios/lib/helpers
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
0 dirs
33 files
resolveConfig.js3.0 KB · 91 lines
1import platform from '../platform/index.js';2import utils from '../utils.js';3import isURLSameOrigin from './isURLSameOrigin.js';4import cookies from './cookies.js';5import buildFullPath from '../core/buildFullPath.js';6import mergeConfig from '../core/mergeConfig.js';7import AxiosHeaders from '../core/AxiosHeaders.js';8import buildURL from './buildURL.js';9 10export default (config) => {11  const newConfig = mergeConfig({}, config);12 13  // Read only own properties to prevent prototype pollution gadgets14  // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.15  const own = (key) => (utils.hasOwnProp(newConfig, key) ? newConfig[key] : undefined);16 17  const data = own('data');18  let withXSRFToken = own('withXSRFToken');19  const xsrfHeaderName = own('xsrfHeaderName');20  const xsrfCookieName = own('xsrfCookieName');21  let headers = own('headers');22  const auth = own('auth');23  const baseURL = own('baseURL');24  const allowAbsoluteUrls = own('allowAbsoluteUrls');25  const url = own('url');26 27  newConfig.headers = headers = AxiosHeaders.from(headers);28 29  newConfig.url = buildURL(30    buildFullPath(baseURL, url, allowAbsoluteUrls),31    config.params,32    config.paramsSerializer33  );34 35  // HTTP basic authentication36  if (auth) {37    headers.set(38      'Authorization',39      'Basic ' +40        btoa(41          (auth.username || '') +42            ':' +43            (auth.password ? unescape(encodeURIComponent(auth.password)) : '')44        )45    );46  }47 48  if (utils.isFormData(data)) {49    if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {50      headers.setContentType(undefined); // browser handles it51    } else if (utils.isFunction(data.getHeaders)) {52      // Node.js FormData (like form-data package)53      const formHeaders = data.getHeaders();54      // Only set safe headers to avoid overwriting security headers55      const allowedHeaders = ['content-type', 'content-length'];56      Object.entries(formHeaders).forEach(([key, val]) => {57        if (allowedHeaders.includes(key.toLowerCase())) {58          headers.set(key, val);59        }60      });61    }62  }63 64  // Add xsrf header65  // This is only done if running in a standard browser environment.66  // Specifically not if we're in a web worker, or react-native.67 68  if (platform.hasStandardBrowserEnv) {69    if (utils.isFunction(withXSRFToken)) {70      withXSRFToken = withXSRFToken(newConfig);71    }72 73    // Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1)74    // and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking75    // the XSRF token cross-origin. See GHSA-xx6v-rp6x-q39c.76    const shouldSendXSRF =77      withXSRFToken === true ||78      (withXSRFToken == null && isURLSameOrigin(newConfig.url));79 80    if (shouldSendXSRF) {81      const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);82 83      if (xsrfValue) {84        headers.set(xsrfHeaderName, xsrfValue);85      }86    }87  }88 89  return newConfig;90};91