From 086be6fc74d8cc69faf76f65bf96d8f76b224dd1 Mon Sep 17 00:00:00 2001 From: Steve Moser Date: Fri, 9 Aug 2019 05:17:25 -0400 Subject: [PATCH 01/19] Remove --save option as it isn't required anymore (#581) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cb1990120..ecb5e487f 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ See Matt Andrews' [isomorphic-fetch](https://github.com/matthew-andrews/isomorph Current stable release (`2.x`) ```sh -$ npm install node-fetch --save +$ npm install node-fetch ``` ## Loading and configuring the module From eb3a57255b4eaa446d52e4cf3e77a1e560d61527 Mon Sep 17 00:00:00 2001 From: Richie Bendall Date: Sun, 8 Sep 2019 09:44:40 +1200 Subject: [PATCH 02/19] feat: Data URI support (#659) Adds support for Data URIs using native methods in Node 5.10.0+ --- src/index.js | 11 +++++++++++ test/test.js | 25 +++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/src/index.js b/src/index.js index 907f47275..56044fe41 100644 --- a/src/index.js +++ b/src/index.js @@ -38,6 +38,17 @@ export default function fetch(url, opts) { throw new Error('native promise missing, set fetch.Promise to your favorite alternative'); } + if (/^data:/.test(url)) { + const request = new Request(url, opts); + try { + const data = Buffer.from(url.split(',')[1], 'base64') + const res = new Response(data.body, { headers: { 'Content-Type': data.mimeType || url.match(/^data:(.+);base64,.*$/)[1] } }); + return fetch.Promise.resolve(res); + } catch (err) { + return fetch.Promise.reject(new FetchError(`[${request.method}] ${request.url} invalid URL, ${err.message}`, 'system', err)); + } + } + Body.Promise = fetch.Promise; // wrap http.request into fetch diff --git a/test/test.js b/test/test.js index 38d3ce050..b8c62dc6d 100644 --- a/test/test.js +++ b/test/test.js @@ -2834,4 +2834,29 @@ describe('external encoding', () => { }); }); }); + + describe('data uri', function() { + const dataUrl = 'data:image/gif;base64,R0lGODlhAQABAIAAAAUEBAAAACwAAAAAAQABAAACAkQBADs='; + + const invalidDataUrl = 'data:@@@@'; + + it('should accept data uri', function() { + return fetch(dataUrl).then(r => { + console.assert(r.status == 200); + console.assert(r.headers.get('Content-Type') == 'image/gif'); + + return r.buffer().then(b => { + console.assert(b instanceof Buffer); + }); + }); + }); + + it('should reject invalid data uri', function() { + return fetch(invalidDataUrl) + .catch(e => { + console.assert(e); + console.assert(e.message.includes('invalid URL')); + }); + }); + }); }); From 1d5778ad0d910dbd1584fb407a186f5a0bc1ea22 Mon Sep 17 00:00:00 2001 From: Richie Bendall Date: Sun, 8 Sep 2019 10:00:54 +1200 Subject: [PATCH 03/19] docs: Add Discord badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index ecb5e487f..eee288e0e 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ node-fetch [![build status][travis-image]][travis-url] [![coverage status][codecov-image]][codecov-url] [![install size][install-size-image]][install-size-url] +[![Discord][discord-image]][discord-url] A light-weight module that brings `window.fetch` to Node.js @@ -574,6 +575,8 @@ MIT [codecov-url]: https://codecov.io/gh/bitinn/node-fetch [install-size-image]: https://flat.badgen.net/packagephobia/install/node-fetch [install-size-url]: https://packagephobia.now.sh/result?p=node-fetch +[discord-image]: https://img.shields.io/discord/619915844268326952?color=%237289DA&label=Discord&style=flat-square +[discord-url]: https://discord.gg/Zxbndcm [whatwg-fetch]: https://fetch.spec.whatwg.org/ [response-init]: https://fetch.spec.whatwg.org/#responseinit [node-readable]: https://nodejs.org/api/stream.html#stream_readable_streams From 5535c2ed478d418969ecfd60c16453462de2a53f Mon Sep 17 00:00:00 2001 From: Boris Bosiljcic Date: Mon, 16 Sep 2019 13:52:22 +0200 Subject: [PATCH 04/19] fix: Check for global.fetch before binding it (#674) --- browser.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/browser.js b/browser.js index 0ad5de004..83c54c584 100644 --- a/browser.js +++ b/browser.js @@ -16,7 +16,9 @@ var global = getGlobal(); module.exports = exports = global.fetch; // Needed for TypeScript and Webpack. -exports.default = global.fetch.bind(global); +if (global.fetch) { + exports.default = global.fetch.bind(global); +} exports.Headers = global.Headers; exports.Request = global.Request; From 7b136627c537cb24430b0310638c9177a85acee1 Mon Sep 17 00:00:00 2001 From: Richie Bendall Date: Wed, 2 Oct 2019 21:50:00 +1300 Subject: [PATCH 05/19] chore: Add funding link --- .github/FUNDING.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 000000000..78f6bbf83 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,12 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: # Replace with a single Patreon username +open_collective: node-fetch # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +custom: # Replace with a single custom sponsorship URL From 47a24a03eb49a49d81b768892aee10074ed54a91 Mon Sep 17 00:00:00 2001 From: Richie Bendall Date: Wed, 2 Oct 2019 22:00:55 +1300 Subject: [PATCH 06/19] chore: Add opencollective badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index eee288e0e..7f48e026a 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ node-fetch [![coverage status][codecov-image]][codecov-url] [![install size][install-size-image]][install-size-url] [![Discord][discord-image]][discord-url] +[![Opencollective][opencollective-image]][opencollective-url] A light-weight module that brings `window.fetch` to Node.js @@ -577,6 +578,8 @@ MIT [install-size-url]: https://packagephobia.now.sh/result?p=node-fetch [discord-image]: https://img.shields.io/discord/619915844268326952?color=%237289DA&label=Discord&style=flat-square [discord-url]: https://discord.gg/Zxbndcm +[opencollective-image]: https://img.shields.io/opencollective/all/node-fetch?label=Sponsors&style=flat-square +[opencollective-url]: https://opencollective.com/node-fetch [whatwg-fetch]: https://fetch.spec.whatwg.org/ [response-init]: https://fetch.spec.whatwg.org/#responseinit [node-readable]: https://nodejs.org/api/stream.html#stream_readable_streams From 6a5d192034a0f438551dffb6d2d8df2c00921d16 Mon Sep 17 00:00:00 2001 From: dsuket Date: Mon, 7 Oct 2019 15:58:27 +0900 Subject: [PATCH 07/19] fix: Properly parse meta tag when parameters are reversed (#682) --- src/body.js | 6 ++++++ test/server.js | 6 ++++++ test/test.js | 10 ++++++++++ 3 files changed, 22 insertions(+) diff --git a/src/body.js b/src/body.js index 1b6eab1f8..a9d2e7973 100644 --- a/src/body.js +++ b/src/body.js @@ -306,6 +306,12 @@ function convertBody(buffer, headers) { // html4 if (!res && str) { res = /
中文
', 'gb2312')); } + if (p === '/encoding/gb2312-reverse') { + res.statusCode = 200; + res.setHeader('Content-Type', 'text/html'); + res.end(convert('
中文
', 'gb2312')); + } + if (p === '/encoding/shift-jis') { res.statusCode = 200; res.setHeader('Content-Type', 'text/html; charset=Shift-JIS'); diff --git a/test/test.js b/test/test.js index b8c62dc6d..c5d61c72a 100644 --- a/test/test.js +++ b/test/test.js @@ -2767,6 +2767,16 @@ describe('external encoding', () => { }); }); + it('should support encoding decode, html4 detect reverse http-equiv', function() { + const url = `${base}encoding/gb2312-reverse`; + return fetch(url).then(res => { + expect(res.status).to.equal(200); + return res.textConverted().then(result => { + expect(result).to.equal('
中文
'); + }); + }); + }); + it('should default to utf8 encoding', function() { const url = `${base}encoding/utf8`; return fetch(url).then(res => { From 244e6f63d42025465796e3ca4ce813bf2c31fc5b Mon Sep 17 00:00:00 2001 From: Richie Bendall Date: Mon, 7 Oct 2019 20:23:11 +1300 Subject: [PATCH 08/19] docs: Show backers in README --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7f48e026a..95c6cb6f7 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,13 @@ node-fetch [![coverage status][codecov-image]][codecov-url] [![install size][install-size-image]][install-size-url] [![Discord][discord-image]][discord-url] -[![Opencollective][opencollective-image]][opencollective-url] A light-weight module that brings `window.fetch` to Node.js (We are looking for [v2 maintainers and collaborators](https://github.com/bitinn/node-fetch/issues/567)) +[![Backers][opencollective-image]][opencollective-url] + - [Motivation](#motivation) @@ -578,7 +579,7 @@ MIT [install-size-url]: https://packagephobia.now.sh/result?p=node-fetch [discord-image]: https://img.shields.io/discord/619915844268326952?color=%237289DA&label=Discord&style=flat-square [discord-url]: https://discord.gg/Zxbndcm -[opencollective-image]: https://img.shields.io/opencollective/all/node-fetch?label=Sponsors&style=flat-square +[opencollective-image]: https://opencollective.com/node-fetch/backers.svg [opencollective-url]: https://opencollective.com/node-fetch [whatwg-fetch]: https://fetch.spec.whatwg.org/ [response-init]: https://fetch.spec.whatwg.org/#responseinit From 1e99050f944ac435fce26a9549eadcc2419a968a Mon Sep 17 00:00:00 2001 From: Ramit Mittal Date: Fri, 11 Oct 2019 01:56:58 +0530 Subject: [PATCH 09/19] fix: Change error message thrown with redirect mode set to error (#653) The original error message does not provide enough information about what went wrong. It simply states a configuration setting. --- src/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/index.js b/src/index.js index 56044fe41..8bf9248fd 100644 --- a/src/index.js +++ b/src/index.js @@ -125,7 +125,7 @@ export default function fetch(url, opts) { // HTTP fetch step 5.5 switch (request.redirect) { case 'error': - reject(new FetchError(`redirect mode is set to error: ${request.url}`, 'no-redirect')); + reject(new FetchError(`uri requested responds with a redirect, redirect mode is set to error: ${request.url}`, 'no-redirect')); finalize(); return; case 'manual': From 8c197f8982a238b3c345c64b17bfa92e16b4f7c4 Mon Sep 17 00:00:00 2001 From: Sesamestrong Date: Sun, 20 Oct 2019 22:32:52 -0400 Subject: [PATCH 10/19] docs: Fix typos and grammatical errors in README.md (#686) --- README.md | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 95c6cb6f7..2dde74289 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ A light-weight module that brings `window.fetch` to Node.js ## Motivation -Instead of implementing `XMLHttpRequest` in Node.js to run browser-specific [Fetch polyfill](https://github.com/github/fetch), why not go from native `http` to `fetch` API directly? Hence `node-fetch`, minimal code for a `window.fetch` compatible API on Node.js runtime. +Instead of implementing `XMLHttpRequest` in Node.js to run browser-specific [Fetch polyfill](https://github.com/github/fetch), why not go from native `http` to `fetch` API directly? Hence, `node-fetch`, minimal code for a `window.fetch` compatible API on Node.js runtime. See Matt Andrews' [isomorphic-fetch](https://github.com/matthew-andrews/isomorphic-fetch) or Leonardo Quixada's [cross-fetch](https://github.com/lquixada/cross-fetch) for isomorphic usage (exports `node-fetch` for server-side, `whatwg-fetch` for client-side). @@ -59,9 +59,9 @@ See Matt Andrews' [isomorphic-fetch](https://github.com/matthew-andrews/isomorph - Stay consistent with `window.fetch` API. - Make conscious trade-off when following [WHATWG fetch spec][whatwg-fetch] and [stream spec](https://streams.spec.whatwg.org/) implementation details, document known differences. -- Use native promise, but allow substituting it with [insert your favorite promise library]. -- Use native Node streams for body, on both request and response. -- Decode content encoding (gzip/deflate) properly, and convert string output (such as `res.text()` and `res.json()`) to UTF-8 automatically. +- Use native promise but allow substituting it with [insert your favorite promise library]. +- Use native Node streams for body on both request and response. +- Decode content encoding (gzip/deflate) properly and convert string output (such as `res.text()` and `res.json()`) to UTF-8 automatically. - Useful extensions such as timeout, redirect limit, response size limit, [explicit errors](ERROR-HANDLING.md) for troubleshooting. ## Difference from client-side fetch @@ -79,12 +79,12 @@ $ npm install node-fetch ``` ## Loading and configuring the module -We suggest you load the module via `require`, pending the stabalizing of es modules in node: +We suggest you load the module via `require` until the stabilization of ES modules in node: ```js const fetch = require('node-fetch'); ``` -If you are using a Promise library other than native, set it through fetch.Promise: +If you are using a Promise library other than native, set it through `fetch.Promise`: ```js const Bluebird = require('bluebird'); @@ -93,7 +93,7 @@ fetch.Promise = Bluebird; ## Common Usage -NOTE: The documentation below is up-to-date with `2.x` releases, [see `1.x` readme](https://github.com/bitinn/node-fetch/blob/1.x/README.md), [changelog](https://github.com/bitinn/node-fetch/blob/1.x/CHANGELOG.md) and [2.x upgrade guide](UPGRADE-GUIDE.md) for the differences. +NOTE: The documentation below is up-to-date with `2.x` releases; see the [`1.x` readme](https://github.com/bitinn/node-fetch/blob/1.x/README.md), [changelog](https://github.com/bitinn/node-fetch/blob/1.x/CHANGELOG.md) and [2.x upgrade guide](UPGRADE-GUIDE.md) for the differences. #### Plain text or HTML ```js @@ -149,9 +149,9 @@ fetch('https://httpbin.org/post', { method: 'POST', body: params }) ``` #### Handling exceptions -NOTE: 3xx-5xx responses are *NOT* exceptions, and should be handled in `then()`, see the next section. +NOTE: 3xx-5xx responses are *NOT* exceptions and should be handled in `then()`; see the next section for more information. -Adding a catch to the fetch promise chain will catch *all* exceptions, such as errors originating from node core libraries, like network errors, and operational errors which are instances of FetchError. See the [error handling document](ERROR-HANDLING.md) for more details. +Adding a catch to the fetch promise chain will catch *all* exceptions, such as errors originating from node core libraries, network errors and operational errors, which are instances of FetchError. See the [error handling document](ERROR-HANDLING.md) for more details. ```js fetch('https://domain.invalid/') @@ -189,7 +189,7 @@ fetch('https://assets-cdn.github.com/images/modules/logos_page/Octocat.png') ``` #### Buffer -If you prefer to cache binary data in full, use buffer(). (NOTE: buffer() is a `node-fetch` only API) +If you prefer to cache binary data in full, use buffer(). (NOTE: `buffer()` is a `node-fetch`-only API) ```js const fileType = require('file-type'); @@ -214,7 +214,7 @@ fetch('https://github.com/') #### Extract Set-Cookie Header -Unlike browsers, you can access raw `Set-Cookie` headers manually using `Headers.raw()`, this is a `node-fetch` only API. +Unlike browsers, you can access raw `Set-Cookie` headers manually using `Headers.raw()`. This is a `node-fetch` only API. ```js fetch(url).then(res => { @@ -266,11 +266,11 @@ fetch('https://httpbin.org/post', options) #### Request cancellation with AbortSignal -> NOTE: You may only cancel streamed requests on Node >= v8.0.0 +> NOTE: You may cancel streamed requests only on Node >= v8.0.0 You may cancel requests with `AbortController`. A suggested implementation is [`abort-controller`](https://www.npmjs.com/package/abort-controller). -An example of timing out a request after 150ms could be achieved as follows: +An example of timing out a request after 150ms could be achieved as the following: ```js import AbortController from 'abort-controller'; @@ -311,7 +311,7 @@ See [test cases](https://github.com/bitinn/node-fetch/blob/master/test/test.js) Perform an HTTP(S) fetch. -`url` should be an absolute url, such as `https://example.com/`. A path-relative URL (`/file/under/root`) or protocol-relative URL (`//can-be-http-or-https.com/`) will result in a rejected promise. +`url` should be an absolute url, such as `https://example.com/`. A path-relative URL (`/file/under/root`) or protocol-relative URL (`//can-be-http-or-https.com/`) will result in a rejected `Promise`. ### Options @@ -353,7 +353,7 @@ Note: when `body` is a `Stream`, `Content-Length` is not set automatically. ##### Custom Agent -The `agent` option allows you to specify networking related options that's out of the scope of Fetch. Including and not limit to: +The `agent` option allows you to specify networking related options which are out of the scope of Fetch, including and not limited to the following: - Support self-signed certificate - Use only IPv4 or IPv6 @@ -361,7 +361,7 @@ The `agent` option allows you to specify networking related options that's out o See [`http.Agent`](https://nodejs.org/api/http.html#http_new_agent_options) for more information. -In addition, `agent` option accepts a function that returns http(s).Agent instance given current [URL](https://nodejs.org/api/url.html), this is useful during a redirection chain across HTTP and HTTPS protocol. +In addition, the `agent` option accepts a function that returns `http`(s)`.Agent` instance given current [URL](https://nodejs.org/api/url.html), this is useful during a redirection chain across HTTP and HTTPS protocol. ```js const httpAgent = new http.Agent({ @@ -435,7 +435,7 @@ The following properties are not implemented in node-fetch at this moment: *(spec-compliant)* -- `body` A string or [Readable stream][node-readable] +- `body` A `String` or [`Readable` stream][node-readable] - `options` A [`ResponseInit`][response-init] options dictionary Constructs a new `Response` object. The constructor is identical to that in the [browser](https://developer.mozilla.org/en-US/docs/Web/API/Response/Response). @@ -465,7 +465,7 @@ This class allows manipulating and iterating over a set of HTTP headers. All met - `init` Optional argument to pre-fill the `Headers` object -Construct a new `Headers` object. `init` can be either `null`, a `Headers` object, an key-value map object, or any iterable object. +Construct a new `Headers` object. `init` can be either `null`, a `Headers` object, an key-value map object or any iterable object. ```js // Example adapted from https://fetch.spec.whatwg.org/#example-headers-class @@ -506,7 +506,7 @@ The following methods are not yet implemented in node-fetch at this moment: * Node.js [`Readable` stream][node-readable] -The data encapsulated in the `Body` object. Note that while the [Fetch Standard][whatwg-fetch] requires the property to always be a WHATWG `ReadableStream`, in node-fetch it is a Node.js [`Readable` stream][node-readable]. +Data are encapsulated in the `Body` object. Note that while the [Fetch Standard][whatwg-fetch] requires the property to always be a WHATWG `ReadableStream`, in node-fetch it is a Node.js [`Readable` stream][node-readable]. #### body.bodyUsed @@ -514,7 +514,7 @@ The data encapsulated in the `Body` object. Note that while the [Fetch Standard] * `Boolean` -A boolean property for if this body has been consumed. Per spec, a consumed body cannot be used again. +A boolean property for if this body has been consumed. Per the specs, a consumed body cannot be used again. #### body.arrayBuffer() #### body.blob() @@ -541,9 +541,9 @@ Consume the body and return a promise that will resolve to a Buffer. * Returns: Promise<String> -Identical to `body.text()`, except instead of always converting to UTF-8, encoding sniffing will be performed and text converted to UTF-8, if possible. +Identical to `body.text()`, except instead of always converting to UTF-8, encoding sniffing will be performed and text converted to UTF-8 if possible. -(This API requires an optional dependency on npm package [encoding](https://www.npmjs.com/package/encoding), which you need to install manually. `webpack` users may see [a warning message](https://github.com/bitinn/node-fetch/issues/412#issuecomment-379007792) due to this optional dependency.) +(This API requires an optional dependency of the npm package [encoding](https://www.npmjs.com/package/encoding), which you need to install manually. `webpack` users may see [a warning message](https://github.com/bitinn/node-fetch/issues/412#issuecomment-379007792) due to this optional dependency.) ### Class: FetchError From 2358a6c2563d1730a0cdaccc197c611949f6a334 Mon Sep 17 00:00:00 2001 From: Antoni Kepinski Date: Sat, 5 Sep 2020 14:55:39 +0200 Subject: [PATCH 11/19] Honor the `size` option after following a redirect and revert data uri support Co-authored-by: Richie Bendall --- CHANGELOG.md | 6 ++++++ src/index.js | 14 ++------------ test/test.js | 25 ------------------------- 3 files changed, 8 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 188fcd399..543d3d947 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ Changelog # 2.x release +## v2.6.1 + +**This is an important security release. It is strongly recommended to update as soon as possible.** + +- Fix: honor the `size` option after following a redirect. + ## v2.6.0 - Enhance: `options.agent`, it now accepts a function that returns custom http(s).Agent instance based on current URL, see readme for more information. diff --git a/src/index.js b/src/index.js index 8bf9248fd..03b56f733 100644 --- a/src/index.js +++ b/src/index.js @@ -38,17 +38,6 @@ export default function fetch(url, opts) { throw new Error('native promise missing, set fetch.Promise to your favorite alternative'); } - if (/^data:/.test(url)) { - const request = new Request(url, opts); - try { - const data = Buffer.from(url.split(',')[1], 'base64') - const res = new Response(data.body, { headers: { 'Content-Type': data.mimeType || url.match(/^data:(.+);base64,.*$/)[1] } }); - return fetch.Promise.resolve(res); - } catch (err) { - return fetch.Promise.reject(new FetchError(`[${request.method}] ${request.url} invalid URL, ${err.message}`, 'system', err)); - } - } - Body.Promise = fetch.Promise; // wrap http.request into fetch @@ -164,7 +153,8 @@ export default function fetch(url, opts) { method: request.method, body: request.body, signal: request.signal, - timeout: request.timeout + timeout: request.timeout, + size: request.size }; // HTTP-redirect fetch step 9 diff --git a/test/test.js b/test/test.js index c5d61c72a..d3cf2fc97 100644 --- a/test/test.js +++ b/test/test.js @@ -2844,29 +2844,4 @@ describe('external encoding', () => { }); }); }); - - describe('data uri', function() { - const dataUrl = 'data:image/gif;base64,R0lGODlhAQABAIAAAAUEBAAAACwAAAAAAQABAAACAkQBADs='; - - const invalidDataUrl = 'data:@@@@'; - - it('should accept data uri', function() { - return fetch(dataUrl).then(r => { - console.assert(r.status == 200); - console.assert(r.headers.get('Content-Type') == 'image/gif'); - - return r.buffer().then(b => { - console.assert(b instanceof Buffer); - }); - }); - }); - - it('should reject invalid data uri', function() { - return fetch(invalidDataUrl) - .catch(e => { - console.assert(e); - console.assert(e.message.includes('invalid URL')); - }); - }); - }); }); From b5e2e41b2b50bf2997720d6125accaf0dd68c0ab Mon Sep 17 00:00:00 2001 From: Antoni Kepinski Date: Sat, 5 Sep 2020 14:58:33 +0200 Subject: [PATCH 12/19] update version number --- package.json | 128 +++++++++++++++++++++++++-------------------------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/package.json b/package.json index 8e5c883b2..216046916 100644 --- a/package.json +++ b/package.json @@ -1,66 +1,66 @@ { - "name": "node-fetch", - "version": "2.6.0", - "description": "A light-weight module that brings window.fetch to node.js", - "main": "lib/index", - "browser": "./browser.js", - "module": "lib/index.mjs", - "files": [ - "lib/index.js", - "lib/index.mjs", - "lib/index.es.js", - "browser.js" - ], - "engines": { - "node": "4.x || >=6.0.0" - }, - "scripts": { - "build": "cross-env BABEL_ENV=rollup rollup -c", - "prepare": "npm run build", - "test": "cross-env BABEL_ENV=test mocha --require babel-register --throw-deprecation test/test.js", - "report": "cross-env BABEL_ENV=coverage nyc --reporter lcov --reporter text mocha -R spec test/test.js", - "coverage": "cross-env BABEL_ENV=coverage nyc --reporter json --reporter text mocha -R spec test/test.js && codecov -f coverage/coverage-final.json" - }, - "repository": { - "type": "git", - "url": "https://github.com/bitinn/node-fetch.git" - }, - "keywords": [ - "fetch", - "http", - "promise" - ], - "author": "David Frank", - "license": "MIT", - "bugs": { - "url": "https://github.com/bitinn/node-fetch/issues" - }, - "homepage": "https://github.com/bitinn/node-fetch", - "devDependencies": { - "@ungap/url-search-params": "^0.1.2", - "abort-controller": "^1.1.0", - "abortcontroller-polyfill": "^1.3.0", - "babel-core": "^6.26.3", - "babel-plugin-istanbul": "^4.1.6", - "babel-preset-env": "^1.6.1", - "babel-register": "^6.16.3", - "chai": "^3.5.0", - "chai-as-promised": "^7.1.1", - "chai-iterator": "^1.1.1", - "chai-string": "~1.3.0", - "codecov": "^3.3.0", - "cross-env": "^5.2.0", - "form-data": "^2.3.3", - "is-builtin-module": "^1.0.0", - "mocha": "^5.0.0", - "nyc": "11.9.0", - "parted": "^0.1.1", - "promise": "^8.0.3", - "resumer": "0.0.0", - "rollup": "^0.63.4", - "rollup-plugin-babel": "^3.0.7", - "string-to-arraybuffer": "^1.0.2", - "whatwg-url": "^5.0.0" - }, - "dependencies": {} + "name": "node-fetch", + "version": "2.6.1", + "description": "A light-weight module that brings window.fetch to node.js", + "main": "lib/index", + "browser": "./browser.js", + "module": "lib/index.mjs", + "files": [ + "lib/index.js", + "lib/index.mjs", + "lib/index.es.js", + "browser.js" + ], + "engines": { + "node": "4.x || >=6.0.0" + }, + "scripts": { + "build": "cross-env BABEL_ENV=rollup rollup -c", + "prepare": "npm run build", + "test": "cross-env BABEL_ENV=test mocha --require babel-register --throw-deprecation test/test.js", + "report": "cross-env BABEL_ENV=coverage nyc --reporter lcov --reporter text mocha -R spec test/test.js", + "coverage": "cross-env BABEL_ENV=coverage nyc --reporter json --reporter text mocha -R spec test/test.js && codecov -f coverage/coverage-final.json" + }, + "repository": { + "type": "git", + "url": "https://github.com/bitinn/node-fetch.git" + }, + "keywords": [ + "fetch", + "http", + "promise" + ], + "author": "David Frank", + "license": "MIT", + "bugs": { + "url": "https://github.com/bitinn/node-fetch/issues" + }, + "homepage": "https://github.com/bitinn/node-fetch", + "devDependencies": { + "@ungap/url-search-params": "^0.1.2", + "abort-controller": "^1.1.0", + "abortcontroller-polyfill": "^1.3.0", + "babel-core": "^6.26.3", + "babel-plugin-istanbul": "^4.1.6", + "babel-preset-env": "^1.6.1", + "babel-register": "^6.16.3", + "chai": "^3.5.0", + "chai-as-promised": "^7.1.1", + "chai-iterator": "^1.1.1", + "chai-string": "~1.3.0", + "codecov": "^3.3.0", + "cross-env": "^5.2.0", + "form-data": "^2.3.3", + "is-builtin-module": "^1.0.0", + "mocha": "^5.0.0", + "nyc": "11.9.0", + "parted": "^0.1.1", + "promise": "^8.0.3", + "resumer": "0.0.0", + "rollup": "^0.63.4", + "rollup-plugin-babel": "^3.0.7", + "string-to-arraybuffer": "^1.0.2", + "whatwg-url": "^5.0.0" + }, + "dependencies": {} } From 152214ca2f6e2a5a17d71e4638114625d3be30c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jimmy=20W=C3=A4rting?= Date: Mon, 6 Sep 2021 14:58:28 +0200 Subject: [PATCH 13/19] Fix(package.json): Corrected main file path in package.json (#1274) * fix main configuration in package.json * pinned a breaking change in codecov & teeny-request --- CHANGELOG.md | 5 +++++ package.json | 10 +++++----- rollup.config.js | 6 +----- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 543d3d947..812a96309 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ Changelog # 2.x release +## v2.6.2 + +- Fix: used full filename for main in package.json +- Other: pinned codecov & teeny-request (had one breaking change with spread operators) + ## v2.6.1 **This is an important security release. It is strongly recommended to update as soon as possible.** diff --git a/package.json b/package.json index 216046916..4bb7d9640 100644 --- a/package.json +++ b/package.json @@ -1,8 +1,8 @@ { "name": "node-fetch", - "version": "2.6.1", + "version": "2.6.2", "description": "A light-weight module that brings window.fetch to node.js", - "main": "lib/index", + "main": "lib/index.js", "browser": "./browser.js", "module": "lib/index.mjs", "files": [ @@ -48,7 +48,7 @@ "chai-as-promised": "^7.1.1", "chai-iterator": "^1.1.1", "chai-string": "~1.3.0", - "codecov": "^3.3.0", + "codecov": "3.3.0", "cross-env": "^5.2.0", "form-data": "^2.3.3", "is-builtin-module": "^1.0.0", @@ -60,7 +60,7 @@ "rollup": "^0.63.4", "rollup-plugin-babel": "^3.0.7", "string-to-arraybuffer": "^1.0.2", + "teeny-request": "3.7.0", "whatwg-url": "^5.0.0" - }, - "dependencies": {} + } } diff --git a/rollup.config.js b/rollup.config.js index a201ee455..1bc88f8db 100644 --- a/rollup.config.js +++ b/rollup.config.js @@ -18,10 +18,6 @@ export default { tweakDefault() ], external: function (id) { - if (isBuiltin(id)) { - return true; - } - id = id.split('/').slice(0, id[0] === '@' ? 2 : 1).join('/'); - return !!require('./package.json').dependencies[id]; + return isBuiltin(id); } }; From ace7536c955556be742d9910566738630cc3c2a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20Unneb=C3=A4ck?= Date: Mon, 20 Sep 2021 16:09:10 +0200 Subject: [PATCH 14/19] fix: properly encode url with unicode characters (#1291) * fix: properly encode url with unicode characters * release: 2.6.3 --- CHANGELOG.md | 4 ++++ package.json | 8 +++++--- rollup.config.js | 5 ++++- src/request.js | 40 +++++++++++++++++++++++++++++++++++++--- test/server.js | 8 +++++++- test/test.js | 22 ++++++++++++++++++++++ 6 files changed, 79 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 812a96309..671da7654 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ Changelog # 2.x release +## v2.6.3 + +- Fix: properly encode url with unicode characters + ## v2.6.2 - Fix: used full filename for main in package.json diff --git a/package.json b/package.json index 4bb7d9640..c5edc7991 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-fetch", - "version": "2.6.2", + "version": "2.6.3", "description": "A light-weight module that brings window.fetch to node.js", "main": "lib/index.js", "browser": "./browser.js", @@ -36,6 +36,9 @@ "url": "https://github.com/bitinn/node-fetch/issues" }, "homepage": "https://github.com/bitinn/node-fetch", + "dependencies": { + "whatwg-url": "^5.0.0" + }, "devDependencies": { "@ungap/url-search-params": "^0.1.2", "abort-controller": "^1.1.0", @@ -60,7 +63,6 @@ "rollup": "^0.63.4", "rollup-plugin-babel": "^3.0.7", "string-to-arraybuffer": "^1.0.2", - "teeny-request": "3.7.0", - "whatwg-url": "^5.0.0" + "teeny-request": "3.7.0" } } diff --git a/rollup.config.js b/rollup.config.js index 1bc88f8db..d5951bd2e 100644 --- a/rollup.config.js +++ b/rollup.config.js @@ -1,9 +1,12 @@ import isBuiltin from 'is-builtin-module'; import babel from 'rollup-plugin-babel'; +import packageJson from './package.json'; import tweakDefault from './build/rollup-plugin'; process.env.BABEL_ENV = 'rollup'; +const dependencies = Object.keys(packageJson.dependencies); + export default { input: 'src/index.js', output: [ @@ -18,6 +21,6 @@ export default { tweakDefault() ], external: function (id) { - return isBuiltin(id); + return dependencies.includes(id) || isBuiltin(id); } }; diff --git a/src/request.js b/src/request.js index 45a7eb7e4..6fa8e77b6 100644 --- a/src/request.js +++ b/src/request.js @@ -9,6 +9,7 @@ import Url from 'url'; import Stream from 'stream'; +import {URL} from 'whatwg-url'; import Headers, { exportNodeCompatibleHeaders } from './headers.js'; import Body, { clone, extractContentType, getTotalBytes } from './body'; @@ -18,6 +19,39 @@ const INTERNALS = Symbol('Request internals'); const parse_url = Url.parse; const format_url = Url.format; +/** + * Wrapper around `new URL` to handle arbitrary URLs + * + * @param {string} urlStr + * @return {void} + */ +function parseURL(urlStr) { + /* + Check whether the URL is absolute or not + + Scheme: https://tools.ietf.org/html/rfc3986#section-3.1 + Absolute URL: https://tools.ietf.org/html/rfc3986#section-4.3 + */ + if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.exec(urlStr)) { + const url = new URL(urlStr); + + return { + path: url.pathname, + pathname: url.pathname, + hostname: url.hostname, + protocol: url.protocol, + port: url.port, + hash: url.hash, + search: url.search, + query: url.query, + href: url.href, + } + } + + // Fallback to old implementation for arbitrary URLs + return parse_url(urlStr); +} + const streamDestructionSupported = 'destroy' in Stream.Readable.prototype; /** @@ -59,14 +93,14 @@ export default class Request { // in order to support Node.js' Url objects; though WHATWG's URL objects // will fall into this branch also (since their `toString()` will return // `href` property anyway) - parsedURL = parse_url(input.href); + parsedURL = parseURL(input.href); } else { // coerce input to a string before attempting to parse - parsedURL = parse_url(`${input}`); + parsedURL = parseURL(`${input}`); } input = {}; } else { - parsedURL = parse_url(input.url); + parsedURL = parseURL(input.url); } let method = init.method || input.method || 'GET'; diff --git a/test/server.js b/test/server.js index 06c715d65..ebd311d9c 100644 --- a/test/server.js +++ b/test/server.js @@ -32,7 +32,7 @@ export default class TestServer { } router(req, res) { - let p = parse(req.url).pathname; + let p = decodeURIComponent(parse(req.url).pathname); if (p === '/hello') { res.statusCode = 200; @@ -384,6 +384,12 @@ export default class TestServer { }); req.pipe(parser); } + + if (p === '/issues/1290/ひらがな') { + res.statusCode = 200; + res.setHeader('Content-Type', 'text/plain'); + res.end('Success'); + } } } diff --git a/test/test.js b/test/test.js index d3cf2fc97..9220cbd4a 100644 --- a/test/test.js +++ b/test/test.js @@ -2845,3 +2845,25 @@ describe('external encoding', () => { }); }); }); + +describe('issue #1290', function() { + it('should handle escaped unicode in URLs', () => { + const url = `${base}issues/1290/%E3%81%B2%E3%82%89%E3%81%8C%E3%81%AA`; + return fetch(url).then((res) => { + expect(res.status).to.equal(200); + return res.text().then(result => { + expect(result).to.equal('Success'); + }); + }); + }); + + it('should handle unicode in URLs', () => { + const url = `${base}issues/1290/ひらがな`; + return fetch(url).then((res) => { + expect(res.status).to.equal(200); + return res.text().then(result => { + expect(result).to.equal('Success'); + }); + }); + }); +}); From 18193c5922c64046b922e18faf41821290535f06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jimmy=20W=C3=A4rting?= Date: Tue, 21 Sep 2021 16:42:50 +0200 Subject: [PATCH 15/19] fix v2.6.3 that did not sending query params (#1301) --- CHANGELOG.md | 4 ++++ package.json | 2 +- src/request.js | 14 +------------- test/test.js | 9 +++++++++ 4 files changed, 15 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 671da7654..46eef0ff0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ Changelog # 2.x release +## v2.6.4 + +- Hotfix: fix v2.6.3 that did not sending query params + ## v2.6.3 - Fix: properly encode url with unicode characters diff --git a/package.json b/package.json index c5edc7991..98cf5f4c5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-fetch", - "version": "2.6.3", + "version": "2.6.4", "description": "A light-weight module that brings window.fetch to node.js", "main": "lib/index.js", "browser": "./browser.js", diff --git a/src/request.js b/src/request.js index 6fa8e77b6..3c27c81cf 100644 --- a/src/request.js +++ b/src/request.js @@ -33,19 +33,7 @@ function parseURL(urlStr) { Absolute URL: https://tools.ietf.org/html/rfc3986#section-4.3 */ if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.exec(urlStr)) { - const url = new URL(urlStr); - - return { - path: url.pathname, - pathname: url.pathname, - hostname: url.hostname, - protocol: url.protocol, - port: url.port, - hash: url.hash, - search: url.search, - query: url.query, - href: url.href, - } + urlStr = new URL(urlStr).toString() } // Fallback to old implementation for arbitrary URLs diff --git a/test/test.js b/test/test.js index 9220cbd4a..9568489e3 100644 --- a/test/test.js +++ b/test/test.js @@ -2847,6 +2847,15 @@ describe('external encoding', () => { }); describe('issue #1290', function() { + + it('should keep query params', function() { + return fetch(`${base}inspect?month=2021-09`) + .then(res => res.json()) + .then(json => { + expect(json.url).to.equal('/inspect?month=2021-09') + }) + }) + it('should handle escaped unicode in URLs', () => { const url = `${base}issues/1290/%E3%81%B2%E3%82%89%E3%81%8C%E3%81%AA`; return fetch(url).then((res) => { From b5417aea6a3275932283a200214522e6ab53f1ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20Unneb=C3=A4ck?= Date: Wed, 22 Sep 2021 11:16:53 +0200 Subject: [PATCH 16/19] fix: import whatwg-url in a way compatible with ESM Node (#1303) * fix: import whatwg-url in a way compatible with ESM Node * release: 2.6.5 --- CHANGELOG.md | 4 ++++ package.json | 2 +- src/request.js | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46eef0ff0..29d168cf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ Changelog # 2.x release +## v2.6.5 + +- Fix: import `whatwg-url` in a way compatible with ESM + ## v2.6.4 - Hotfix: fix v2.6.3 that did not sending query params diff --git a/package.json b/package.json index 98cf5f4c5..4178c1a32 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-fetch", - "version": "2.6.4", + "version": "2.6.5", "description": "A light-weight module that brings window.fetch to node.js", "main": "lib/index.js", "browser": "./browser.js", diff --git a/src/request.js b/src/request.js index 3c27c81cf..59850fd95 100644 --- a/src/request.js +++ b/src/request.js @@ -9,11 +9,12 @@ import Url from 'url'; import Stream from 'stream'; -import {URL} from 'whatwg-url'; +import whatwgUrl from 'whatwg-url'; import Headers, { exportNodeCompatibleHeaders } from './headers.js'; import Body, { clone, extractContentType, getTotalBytes } from './body'; const INTERNALS = Symbol('Request internals'); +const URL = whatwgUrl.URL; // fix an issue where "format", "parse" aren't a named export for node <10 const parse_url = Url.parse; From f56b0c66d3dd2ef185436de1f2fd40f66bfea8f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jimmy=20W=C3=A4rting?= Date: Sun, 31 Oct 2021 16:40:17 +0100 Subject: [PATCH 17/19] fix(URL): prefer built in URL version when available and fallback to whatwg (#1352) * fix(URL): prefer built in URL version when available and fallback to whatwg * bump minor --- package.json | 2 +- src/request.js | 2 +- test/test.js | 7 +++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 4178c1a32..ec0510513 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-fetch", - "version": "2.6.5", + "version": "2.6.6", "description": "A light-weight module that brings window.fetch to node.js", "main": "lib/index.js", "browser": "./browser.js", diff --git a/src/request.js b/src/request.js index 59850fd95..739ba9071 100644 --- a/src/request.js +++ b/src/request.js @@ -14,7 +14,7 @@ import Headers, { exportNodeCompatibleHeaders } from './headers.js'; import Body, { clone, extractContentType, getTotalBytes } from './body'; const INTERNALS = Symbol('Request internals'); -const URL = whatwgUrl.URL; +const URL = Url.URL || whatwgUrl.URL; // fix an issue where "format", "parse" aren't a named export for node <10 const parse_url = Url.parse; diff --git a/test/test.js b/test/test.js index 9568489e3..6427ae21e 100644 --- a/test/test.js +++ b/test/test.js @@ -2875,4 +2875,11 @@ describe('issue #1290', function() { }); }); }); + + // #1342 + it('should not throw with a valid URL', () => { + const url = 'https://r2---sn-n4v7sney.example.com'; + new Request(url); + }); + }); From 8fe5c4ea66b9b8187600e6d5ec9b1b6781f44009 Mon Sep 17 00:00:00 2001 From: Ciffelia Date: Fri, 5 Nov 2021 22:42:53 +0900 Subject: [PATCH 18/19] 2.x: Specify encoding as an optional peer dependency in package.json (#1310) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Specify `encoding` as an optional peer dependency * Update package.json Co-authored-by: Linus Unnebäck Co-authored-by: Linus Unnebäck --- package.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/package.json b/package.json index ec0510513..6f0ac4302 100644 --- a/package.json +++ b/package.json @@ -39,6 +39,14 @@ "dependencies": { "whatwg-url": "^5.0.0" }, + "peerDependencies": { + "encoding": "^0.1.0" + }, + "peerDependenciesMeta": { + "encoding": { + "optional": true + } + }, "devDependencies": { "@ungap/url-search-params": "^0.1.2", "abort-controller": "^1.1.0", From 1ef4b560a17e644a02a3bfdea7631ffeee578b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jimmy=20W=C3=A4rting?= Date: Sun, 16 Jan 2022 12:45:33 +0100 Subject: [PATCH 19/19] backport of #1449 (#1453) * backport of #1449 * bump patch version --- package.json | 2 +- src/index.js | 49 ++++++++++++++++++++++++++++++++++++++++--------- test/server.js | 7 ++++++- test/test.js | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 94 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index 6f0ac4302..3c1bd8da7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-fetch", - "version": "2.6.6", + "version": "2.6.7", "description": "A light-weight module that brings window.fetch to node.js", "main": "lib/index.js", "browser": "./browser.js", diff --git a/src/index.js b/src/index.js index 03b56f733..b210d28e4 100644 --- a/src/index.js +++ b/src/index.js @@ -13,16 +13,29 @@ import https from 'https'; import zlib from 'zlib'; import Stream from 'stream'; -import Body, { writeToStream, getTotalBytes } from './body'; -import Response from './response'; -import Headers, { createHeadersLenient } from './headers'; -import Request, { getNodeRequestOptions } from './request'; -import FetchError from './fetch-error'; -import AbortError from './abort-error'; +import Body, { writeToStream, getTotalBytes } from './body.js'; +import Response from './response.js'; +import Headers, { createHeadersLenient } from './headers.js'; +import Request, { getNodeRequestOptions } from './request.js'; +import FetchError from './fetch-error.js'; +import AbortError from './abort-error.js'; + +import whatwgUrl from 'whatwg-url'; + +const URL = Url.URL || whatwgUrl.URL; // fix an issue where "PassThrough", "resolve" aren't a named export for node <10 const PassThrough = Stream.PassThrough; -const resolve_url = Url.resolve; + +const isDomainOrSubdomain = (destination, original) => { + const orig = new URL(original).hostname; + const dest = new URL(destination).hostname; + + return orig === dest || ( + orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest) + ); +}; + /** * Fetch function @@ -109,7 +122,19 @@ export default function fetch(url, opts) { const location = headers.get('Location'); // HTTP fetch step 5.3 - const locationURL = location === null ? null : resolve_url(request.url, location); + let locationURL = null; + try { + locationURL = location === null ? null : new URL(location, request.url).toString(); + } catch (err) { + // error here can only be invalid URL in Location: header + // do not throw when options.redirect == manual + // let the user extract the errorneous redirect URL + if (request.redirect !== 'manual') { + reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect')); + finalize(); + return; + } + } // HTTP fetch step 5.5 switch (request.redirect) { @@ -154,9 +179,15 @@ export default function fetch(url, opts) { body: request.body, signal: request.signal, timeout: request.timeout, - size: request.size + size: request.size }; + if (!isDomainOrSubdomain(request.url, locationURL)) { + for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) { + requestOpts.headers.delete(name); + } + } + // HTTP-redirect fetch step 9 if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) { reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect')); diff --git a/test/server.js b/test/server.js index ebd311d9c..2f0baf8cd 100644 --- a/test/server.js +++ b/test/server.js @@ -1,7 +1,6 @@ import * as http from 'http'; import { parse } from 'url'; import * as zlib from 'zlib'; -import * as stream from 'stream'; import { multipart as Multipart } from 'parted'; let convert; @@ -66,6 +65,12 @@ export default class TestServer { })); } + if (p.startsWith('/redirect-to/3')) { + res.statusCode = p.slice(13, 16); + res.setHeader('Location', p.slice(17)); + res.end(); + } + if (p === '/gzip') { res.statusCode = 200; res.setHeader('Content-Type', 'text/plain'); diff --git a/test/test.js b/test/test.js index 6427ae21e..cdeb51f00 100644 --- a/test/test.js +++ b/test/test.js @@ -1569,6 +1569,53 @@ describe('node-fetch', () => { }); }); + it('should not forward secure headers to 3th party', () => { + return fetch(`${base}redirect-to/302/https://httpbin.org/get`, { + headers: new Headers({ + cookie: 'gets=removed', + cookie2: 'gets=removed', + authorization: 'gets=removed', + 'www-authenticate': 'gets=removed', + 'other-safe-headers': 'stays', + 'x-foo': 'bar' + }) + }).then(res => res.json()).then(json => { + const headers = new Headers(json.headers); + // Safe headers are not removed + expect(headers.get('other-safe-headers')).to.equal('stays'); + expect(headers.get('x-foo')).to.equal('bar'); + // Unsafe headers should not have been sent to httpbin + expect(headers.get('cookie')).to.equal(null); + expect(headers.get('cookie2')).to.equal(null); + expect(headers.get('www-authenticate')).to.equal(null); + expect(headers.get('authorization')).to.equal(null); + }); + }); + + it('should forward secure headers to same host', () => { + return fetch(`${base}redirect-to/302/${base}inspect`, { + headers: new Headers({ + cookie: 'is=cookie', + cookie2: 'is=cookie2', + authorization: 'is=authorization', + 'other-safe-headers': 'stays', + 'www-authenticate': 'is=www-authenticate', + 'x-foo': 'bar' + }) + }).then(res => res.json().then(json => { + const headers = new Headers(json.headers); + // Safe headers are not removed + expect(res.url).to.equal(`${base}inspect`); + expect(headers.get('other-safe-headers')).to.equal('stays'); + expect(headers.get('x-foo')).to.equal('bar'); + // Unsafe headers should not have been sent to httpbin + expect(headers.get('cookie')).to.equal('is=cookie'); + expect(headers.get('cookie2')).to.equal('is=cookie2'); + expect(headers.get('www-authenticate')).to.equal('is=www-authenticate'); + expect(headers.get('authorization')).to.equal('is=authorization'); + })); + }); + it('should allow PATCH request', function() { const url = `${base}inspect`; const opts = {