Removes or disables the following eslint errors/warnings:
/puter/packages/backend/src/api/filesystem/FlagParam.js
33:19 error 'APIError' is not defined no-undef
47:19 error 'APIError' is not defined no-undef
58:15 error 'APIError' is not defined no-undef
/puter/packages/backend/src/api/filesystem/StringParam.js
32:19 error 'APIError' is not defined no-undef
39:13 error 'APIError' is not defined no-undef
46:19 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/FilesystemService.js
141:17 warning Unexpected 'debugger' statement no-debugger
366:21 error 'services' is not defined no-undef
/puter/packages/backend/src/filesystem/batch/BatchExecutor.js
121:21 error Do not assign to the exception parameter no-ex-assign
/puter/packages/backend/src/filesystem/hl_operations/hl_data_read.js
44:19 error 'APIError' is not defined no-undef
47:22 error 'chkperm' is not defined no-undef
48:19 error 'APIError' is not defined no-undef
51:29 error 'LLRead' is not defined no-undef
54:13 error 'version_id' is not defined no-undef
88:35 error 'PassThrough' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_mkdir.js
68:49 error 'fs' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_move.js
102:33 error 'get_user' is not defined no-undef
104:35 error 'get_user' is not defined no-undef
110:33 error 'df' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_read.js
54:13 error 'stream' is constant no-const-assign
/puter/packages/backend/src/filesystem/hl_operations/hl_stat.js
40:37 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/lib/PuterPath.js
67:5 error Expected to return a value in getter 'hasRelativePortion' getter-return
/puter/packages/backend/src/filesystem/ll_operations/ll_copy_idea.js
53:21 error 'UploadProgressTracker' is not defined no-undef
73:17 error 'PuterS3StorageStrategy' is not defined no-undef
137:22 error 'LLFilesystemOperation' is not defined no-undef
/puter/packages/backend/src/filesystem/ll_operations/ll_read.js
102:65 error 'offset' is not defined no-undef
102:73 error 'offset' is not defined no-undef
102:80 error 'length' is not defined no-undef
/puter/packages/backend/src/filesystem/ll_operations/ll_rmnode.js
43:23 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/storage/SystemFSEntryService.js
101:26 error '_path' is not defined no-undef
/puter/packages/backend/src/filesystem/validation.js
27:29 error Unexpected control character(s) in regular expression: \x00, \x1f no-control-regex
28:29 error Unexpected control character(s) in regular expression: \x00, \x1f no-control-regex
28:31 error Unnecessary escape character: \/ no-useless-escape
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
## Steps To Reproduce & PoC
```js
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
Sam Atkins