Version in base suite: 1.2.1+dfsg-1

Base version: node-axios_1.2.1+dfsg-1
Target version: node-axios_1.2.1+dfsg-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-axios/node-axios_1.2.1+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-axios/node-axios_1.2.1+dfsg-1+deb12u1.dsc

 changelog                    |    9 ++++
 patches/CVE-2023-45857.patch |   43 ++++++++++++++++++++
 patches/CVE-2024-57965.patch |   91 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 
 salsa-ci.yml                 |    2 
 5 files changed, 147 insertions(+)

diff -Nru node-axios-1.2.1+dfsg/debian/changelog node-axios-1.2.1+dfsg/debian/changelog
--- node-axios-1.2.1+dfsg/debian/changelog	2022-12-07 16:05:52.000000000 +0000
+++ node-axios-1.2.1+dfsg/debian/changelog	2025-02-02 10:35:52.000000000 +0000
@@ -1,3 +1,12 @@
+node-axios (1.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix CSRF vulnerability (Closes: #1056099, CVE-2023-45857)
+  * Fix potential vulnerability in URL when determining an origin
+    (Closes: #1094731, CVE-2024-57965)
+
+ -- Yadd <yadd@debian.org>  Sun, 02 Feb 2025 11:35:52 +0100
+
 node-axios (1.2.1+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-axios-1.2.1+dfsg/debian/patches/CVE-2023-45857.patch node-axios-1.2.1+dfsg/debian/patches/CVE-2023-45857.patch
--- node-axios-1.2.1+dfsg/debian/patches/CVE-2023-45857.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-axios-1.2.1+dfsg/debian/patches/CVE-2023-45857.patch	2025-02-02 10:32:08.000000000 +0000
@@ -0,0 +1,43 @@
+Description: fixed CSRF vulnerability CVE-2023-45857 (#6028)
+Author: Valentin Panov <valentin.panov@me.com>
+Origin: upstream, https://github.com/axios/axios/commit/96ee232b
+Bug: https://github.com/axios/axios/issues/6006
+Bug-Debian: https://bugs.debian.org/1056099
+Forwarded: not-needed
+Applied-Upstream: 1.6.0, commit:96ee232b
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-11-21
+
+--- a/lib/adapters/xhr.js
++++ b/lib/adapters/xhr.js
+@@ -179,8 +179,8 @@
+     // Specifically not if we're in a web worker, or react-native.
+     if (platform.isStandardBrowserEnv) {
+       // Add xsrf header
+-      const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
+-        && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
++      // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
++      const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+ 
+       if (xsrfValue) {
+         requestHeaders.set(config.xsrfHeaderName, xsrfValue);
+--- a/test/specs/xsrf.spec.js
++++ b/test/specs/xsrf.spec.js
+@@ -67,7 +67,7 @@
+     });
+   });
+ 
+-  it('should set xsrf header for cross origin when using withCredentials', function (done) {
++  it('should not set xsrf header for cross origin when using withCredentials', function (done) {
+     document.cookie = axios.defaults.xsrfCookieName + '=12345';
+ 
+     axios('http://example.com/', {
+@@ -75,7 +75,7 @@
+     });
+ 
+     getAjaxRequest().then(function (request) {
+-      expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual('12345');
++      expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
+       done();
+     });
+   });
diff -Nru node-axios-1.2.1+dfsg/debian/patches/CVE-2024-57965.patch node-axios-1.2.1+dfsg/debian/patches/CVE-2024-57965.patch
--- node-axios-1.2.1+dfsg/debian/patches/CVE-2024-57965.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-axios-1.2.1+dfsg/debian/patches/CVE-2024-57965.patch	2025-02-02 10:32:08.000000000 +0000
@@ -0,0 +1,91 @@
+Description: use URL API instead of DOM to fix a potential vulnerability warning
+Author: Dmitriy Mozgovoy <robotshara@gmail.com>
+Origin: upstream, https://github.com/axios/axios/commit/0a8d6e19
+Bug: https://github.com/axios/axios/issues/6714
+Bug-Debian: https://bugs.debian.org/1094731
+Forwarded: not-needed
+Applied-Upstream: 1.7.8, commit:0a8d6e19
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-01-30
+
+--- a/lib/helpers/isURLSameOrigin.js
++++ b/lib/helpers/isURLSameOrigin.js
+@@ -1,67 +1,16 @@
+ 'use strict';
+ 
+-import utils from './../utils.js';
+ import platform from '../platform/index.js';
+ 
+-export default platform.isStandardBrowserEnv ?
++export default platform.hasStandardBrowserEnv ? ((origin, isMSIE) => (url) => {
++  url = new URL(url, platform.origin);
+ 
+-// Standard browser envs have full support of the APIs needed to test
+-// whether the request URL is of the same origin as current location.
+-  (function standardBrowserEnv() {
+-    const msie = /(msie|trident)/i.test(navigator.userAgent);
+-    const urlParsingNode = document.createElement('a');
+-    let originURL;
+-
+-    /**
+-    * Parse a URL to discover it's components
+-    *
+-    * @param {String} url The URL to be parsed
+-    * @returns {Object}
+-    */
+-    function resolveURL(url) {
+-      let href = url;
+-
+-      if (msie) {
+-        // IE needs attribute set twice to normalize properties
+-        urlParsingNode.setAttribute('href', href);
+-        href = urlParsingNode.href;
+-      }
+-
+-      urlParsingNode.setAttribute('href', href);
+-
+-      // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
+-      return {
+-        href: urlParsingNode.href,
+-        protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
+-        host: urlParsingNode.host,
+-        search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
+-        hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
+-        hostname: urlParsingNode.hostname,
+-        port: urlParsingNode.port,
+-        pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
+-          urlParsingNode.pathname :
+-          '/' + urlParsingNode.pathname
+-      };
+-    }
+-
+-    originURL = resolveURL(window.location.href);
+-
+-    /**
+-    * Determine if a URL shares the same origin as the current location
+-    *
+-    * @param {String} requestURL The URL to test
+-    * @returns {boolean} True if URL shares the same origin, otherwise false
+-    */
+-    return function isURLSameOrigin(requestURL) {
+-      const parsed = (utils.isString(requestURL)) ? resolveURL(requestURL) : requestURL;
+-      return (parsed.protocol === originURL.protocol &&
+-          parsed.host === originURL.host);
+-    };
+-  })() :
+-
+-  // Non standard browser envs (web workers, react-native) lack needed support.
+-  (function nonStandardBrowserEnv() {
+-    return function isURLSameOrigin() {
+-      return true;
+-    };
+-  })();
++  return (
++    origin.protocol === url.protocol &&
++    origin.host === url.host &&
++    (isMSIE || origin.port === url.port)
++  );
++})(
++  new URL(platform.origin),
++  platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent)
++) : () => true;
diff -Nru node-axios-1.2.1+dfsg/debian/patches/series node-axios-1.2.1+dfsg/debian/patches/series
--- node-axios-1.2.1+dfsg/debian/patches/series	2022-11-29 15:56:11.000000000 +0000
+++ node-axios-1.2.1+dfsg/debian/patches/series	2025-02-02 10:32:08.000000000 +0000
@@ -2,3 +2,5 @@
 update-test-for-formidable-3.patch
 update-rollup-plugins.patch
 reproducible.patch
+CVE-2023-45857.patch
+CVE-2024-57965.patch
diff -Nru node-axios-1.2.1+dfsg/debian/salsa-ci.yml node-axios-1.2.1+dfsg/debian/salsa-ci.yml
--- node-axios-1.2.1+dfsg/debian/salsa-ci.yml	2022-06-04 09:39:08.000000000 +0000
+++ node-axios-1.2.1+dfsg/debian/salsa-ci.yml	2025-02-02 10:32:08.000000000 +0000
@@ -1,4 +1,6 @@
 ---
+variables:
+  RELEASE: 'bookworm'
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml