There is a vulnerability introduced by package axios

[paimon0715]

Hi, @skellock @rdewolff, there is a vulnerability introduced in your package apisauce:

Issue Description

A vulnerability CVE-2020-28168 detected in package axios<0.21.1 is directly referenced by [email protected]. We noticed that such a vulnerability has been removed since [email protected].

However, apisauce's popular previous version [email protected] (12,294 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 168 downstream projects, e.g., amex-perks-sdk 2.1.3, @graphprotocol/indexer-cli 0.16.0, @kalutheo/uie 0.0.6, ontrac 2.1.8, sunubus-js-utils 1.1.11, [email protected], etc.).
As such, issue CVE-2020-28168 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade apisauce from version 1.1.2 to (>=2.0.0). For instance, [email protected] is introduced into the above projects via the following package dependency paths:
(1)[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......

The projects such as anticaptcha, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade apisauce nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 1.1.* for apisauce on the above vulnerable dependency paths, if apisauce removes the vulnerability from 1.1.2 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the 168 affected downstream projects.

In [email protected], you can kindly try to perform the following upgrade:
axios ^0.19.0 ➔ ^0.21.1;
Note:
[email protected](>=0.21.1) has fixed the vulnerability (CVE-2020-28168)

Thank you for your contributions.

Best regards,
Paimon

[chakrihacker]

I will try to make a release this weekend

[jhpedemonte]

Note there is another vulnerability (I can open another issue if necessary): CVE-2021-3749, which is only fixed in axios 0.21.2+ (there were some follow on fixes, so 0.21.4 seems to be recommended).

Unfortunately, this causes our app to break (I opened axios/axios#4099 to track the new issue). Basically, when making a call to apisauce's post() with data set to undefined, apisauce sets data to null instead. This results in axios 0.21.2+ to JSON.stringify that value and send an XHR payload of "null", which breaks our app.

Workaround would be for apisauce to instead default data to undefined, since calling JSON.stringify() on that still results in undefined and an empty XHR payload.

[jhpedemonte]

Update: axios was actually incorrect in versions 0.21.1 and lower -- null is a valid value to stringify. So apisauce is incorrect in defaulting to data = null, since this will now be encoded by axios v0.21.2+ as "null" payload. Instead, apisauce should just keep "no data" as data === undefined.

[chakrihacker]

Hey, can you raise a new issue. I will look over the weekend

[jhpedemonte]

Opened #276