actions/send-mail
1
0
Fork 0
mirror of https://github.com/dawidd6/action-send-mail.git synced 2026-06-20 00:07:26 +07:00
Code Issues Packages Projects Releases Wiki Activity

node_modules: update (#297)

Browse Source 
Co-authored-by: dawidd6 <9713907+dawidd6@users.noreply.github.com>
This commit is contained in:
Dawid Dziurla
2026-06-15 07:32:52 +02:00
committed by GitHub
parent d86d472c50
commit 1369c5b90d
27 changed files with 662 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files
node_modules/nodemailer/lib/fetch/cookies.js
Generated Vendored
+1 -1
View File
@@ -2,7 +2,7 @@
// module to handle cookies
const urllib = require('url');
const urllib = require('../shared/url');
const SESSION_TIMEOUT = 1800; // 30 min
node_modules/nodemailer/lib/fetch/index.js
Generated Vendored
+26 -3
View File
@@ -2,7 +2,7 @@
const http = require('http');
const https = require('https');
const urllib = require('url');
const urllib = require('../shared/url');
const zlib = require('zlib');
const { PassThrough } = require('stream');
const Cookies = require('./cookies');
@@ -123,7 +123,10 @@ function nmfetch(url, options) {
path: parsed.path,
port: parsed.port ? parsed.port : parsed.protocol === 'https:' ? 443 : 80,
headers,
rejectUnauthorized: false,
// Validate TLS certificates by default. Callers that genuinely need to
// reach a self-signed/internal host opt out explicitly with
// options.tls = { rejectUnauthorized: false }.
rejectUnauthorized: true,
agent: false
};
@@ -212,7 +215,27 @@ function nmfetch(url, options) {
// redirect does not include POST body
options.method = 'GET';
options.body = false;
return nmfetch(urllib.resolve(url, res.headers.location), options);
const redirectUrl = urllib.resolve(url, res.headers.location);
const redirectParsed = urllib.parse(redirectUrl);
// Do not forward credentials when the redirect leaves the original
// security context: a different host, or a downgrade from https to
// http (which would otherwise put them on the wire in cleartext).
// Strip sensitive request headers so an attacker who controls the
// redirect target cannot harvest them.
const crossHost = redirectParsed.hostname !== parsed.hostname;
const downgrade = parsed.protocol === 'https:' && redirectParsed.protocol === 'http:';
if (options.headers && (crossHost || downgrade)) {
const sensitive = ['authorization', 'cookie', 'proxy-authorization'];
Object.keys(options.headers).forEach(key => {
if (sensitive.includes(key.toLowerCase())) {
delete options.headers[key];
}
});
}
return nmfetch(redirectUrl, options);
}
fetchRes.statusCode = res.statusCode;