/puter/packages/backend/src/om/entitystorage/ValidationES.js
89:25 error Do not assign to the exception parameter no-ex-assign
/puter/packages/backend/src/om/proptypes/__all__.js
166:17 warning Unexpected 'debugger' statement no-debugger
/puter/packages/backend/src/routers/_default.js
405:31 error 'err' is not defined no-undef
/puter/packages/backend/src/helpers.js
682:9 error 'sharing_users' is not defined no-undef
689:12 error 'sharing_users' is not defined no-undef
690:28 error 'sharing_users' is not defined no-undef
695:28 error 'sharing_users' is not defined no-undef
720:9 error 'shared_fsentries' is not defined no-undef
733:12 error 'shared_fsentries' is not defined no-undef
734:28 error 'shared_fsentries' is not defined no-undef
735:17 error 'shared_fsentries' is not defined no-undef
735:58 error 'shared_fsentries' is not defined no-undef
736:31 error 'shared_fsentries' is not defined no-undef
900:57 error 'e' is not defined no-undef
1849:18 error Empty block statement no-empty
These currently work in a way that's different from what eslint expects,
so disable it. At some point it would be good if it could check them
(and if the tests could run on CI) but right now they just make a lot of
noise.
Removes or disables the following eslint errors/warnings:
/puter/packages/backend/src/api/filesystem/FlagParam.js
33:19 error 'APIError' is not defined no-undef
47:19 error 'APIError' is not defined no-undef
58:15 error 'APIError' is not defined no-undef
/puter/packages/backend/src/api/filesystem/StringParam.js
32:19 error 'APIError' is not defined no-undef
39:13 error 'APIError' is not defined no-undef
46:19 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/FilesystemService.js
141:17 warning Unexpected 'debugger' statement no-debugger
366:21 error 'services' is not defined no-undef
/puter/packages/backend/src/filesystem/batch/BatchExecutor.js
121:21 error Do not assign to the exception parameter no-ex-assign
/puter/packages/backend/src/filesystem/hl_operations/hl_data_read.js
44:19 error 'APIError' is not defined no-undef
47:22 error 'chkperm' is not defined no-undef
48:19 error 'APIError' is not defined no-undef
51:29 error 'LLRead' is not defined no-undef
54:13 error 'version_id' is not defined no-undef
88:35 error 'PassThrough' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_mkdir.js
68:49 error 'fs' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_move.js
102:33 error 'get_user' is not defined no-undef
104:35 error 'get_user' is not defined no-undef
110:33 error 'df' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_read.js
54:13 error 'stream' is constant no-const-assign
/puter/packages/backend/src/filesystem/hl_operations/hl_stat.js
40:37 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/lib/PuterPath.js
67:5 error Expected to return a value in getter 'hasRelativePortion' getter-return
/puter/packages/backend/src/filesystem/ll_operations/ll_copy_idea.js
53:21 error 'UploadProgressTracker' is not defined no-undef
73:17 error 'PuterS3StorageStrategy' is not defined no-undef
137:22 error 'LLFilesystemOperation' is not defined no-undef
/puter/packages/backend/src/filesystem/ll_operations/ll_read.js
102:65 error 'offset' is not defined no-undef
102:73 error 'offset' is not defined no-undef
102:80 error 'length' is not defined no-undef
/puter/packages/backend/src/filesystem/ll_operations/ll_rmnode.js
43:23 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/storage/SystemFSEntryService.js
101:26 error '_path' is not defined no-undef
/puter/packages/backend/src/filesystem/validation.js
27:29 error Unexpected control character(s) in regular expression: \x00, \x1f no-control-regex
28:29 error Unexpected control character(s) in regular expression: \x00, \x1f no-control-regex
28:31 error Unnecessary escape character: \/ no-useless-escape
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
## Steps To Reproduce & PoC
```js
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
