Codebase list node-eventsource / 4ed20f5
Update upstream source from tag 'upstream/2.0.2+_1.1.8' Update to upstream version '2.0.2+~1.1.8' with Debian dir 037f110529f6f0d0075a270828b8924151a4cb13 Yadd 1 year, 11 months ago
6 changed file(s) with 266 addition(s) and 156 deletion(s). Raw diff Collapse all Expand all
+8
-0
HISTORY.md less more
0 # [2.0.2](https://github.com/EventSource/eventsource/compare/v2.0.1...v2.0.2)
1
2 * Do not include authorization and cookie headers on redirect to different origin ([#273](https://github.com/EventSource/eventsource/pull/273) Espen Hovlandsdal)
3
04 # [2.0.1](https://github.com/EventSource/eventsource/compare/v2.0.0...v2.0.1)
15
26 * Fix `URL is not a constructor` error for browser ([#268](https://github.com/EventSource/eventsource/pull/268) Ajinkya Rajput)
610 * BREAKING: Node >= 12 now required ([#152](https://github.com/EventSource/eventsource/pull/152) @HonkingGoose)
711 * Preallocate buffer size when reading data for increased performance with large messages ([#239](https://github.com/EventSource/eventsource/pull/239) Pau Freixes)
812 * Removed dependency on url-parser. Fixes [CVE-2022-0512](https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-0512) & [CVE-2022-0691](https://nvd.nist.gov/vuln/detail/CVE-2022-0691) ([#249](https://github.com/EventSource/eventsource/pull/249) Alex Hladin)
13
14 # [1.1.1](https://github.com/EventSource/eventsource/compare/v1.1.0...v1.1.1)
15
16 * Do not include authorization and cookie headers on redirect to different origin ([#273](https://github.com/EventSource/eventsource/pull/273) Espen Hovlandsdal)
917
1018 # [1.1.0](https://github.com/EventSource/eventsource/compare/v1.0.7...v1.1.0)
1119
+172
-143
example/eventsource-polyfill.js less more
21402140
21412141 /*<replacement>*/
21422142
2143 var pna = __webpack_require__(7);
2143 var pna = __webpack_require__(6);
21442144 /*</replacement>*/
21452145
21462146 /*<replacement>*/
23582358
23592359 /***/ }),
23602360 /* 6 */
2361 /***/ (function(module, exports, __webpack_require__) {
2362
2363 "use strict";
2364 /* WEBPACK VAR INJECTION */(function(process) {
2365
2366 if (typeof process === 'undefined' ||
2367 !process.version ||
2368 process.version.indexOf('v0.') === 0 ||
2369 process.version.indexOf('v1.') === 0 && process.version.indexOf('v1.8.') !== 0) {
2370 module.exports = { nextTick: nextTick };
2371 } else {
2372 module.exports = process
2373 }
2374
2375 function nextTick(fn, arg1, arg2, arg3) {
2376 if (typeof fn !== 'function') {
2377 throw new TypeError('"callback" argument must be a function');
2378 }
2379 var len = arguments.length;
2380 var args, i;
2381 switch (len) {
2382 case 0:
2383 case 1:
2384 return process.nextTick(fn);
2385 case 2:
2386 return process.nextTick(function afterTickOne() {
2387 fn.call(null, arg1);
2388 });
2389 case 3:
2390 return process.nextTick(function afterTickTwo() {
2391 fn.call(null, arg1, arg2);
2392 });
2393 case 4:
2394 return process.nextTick(function afterTickThree() {
2395 fn.call(null, arg1, arg2, arg3);
2396 });
2397 default:
2398 args = new Array(len - 1);
2399 i = 0;
2400 while (i < args.length) {
2401 args[i++] = arguments[i];
2402 }
2403 return process.nextTick(function afterTick() {
2404 fn.apply(null, args);
2405 });
2406 }
2407 }
2408
2409
2410 /* WEBPACK VAR INJECTION */}.call(exports, __webpack_require__(1)))
2411
2412 /***/ }),
2413 /* 7 */
2414 /***/ (function(module, exports, __webpack_require__) {
2415
2416 /* eslint-disable node/no-deprecated-api */
2417 var buffer = __webpack_require__(3)
2418 var Buffer = buffer.Buffer
2419
2420 // alternative to using Object.keys for old browsers
2421 function copyProps (src, dst) {
2422 for (var key in src) {
2423 dst[key] = src[key]
2424 }
2425 }
2426 if (Buffer.from && Buffer.alloc && Buffer.allocUnsafe && Buffer.allocUnsafeSlow) {
2427 module.exports = buffer
2428 } else {
2429 // Copy properties from require('buffer')
2430 copyProps(buffer, exports)
2431 exports.Buffer = SafeBuffer
2432 }
2433
2434 function SafeBuffer (arg, encodingOrOffset, length) {
2435 return Buffer(arg, encodingOrOffset, length)
2436 }
2437
2438 // Copy static methods from Buffer
2439 copyProps(Buffer, SafeBuffer)
2440
2441 SafeBuffer.from = function (arg, encodingOrOffset, length) {
2442 if (typeof arg === 'number') {
2443 throw new TypeError('Argument must not be a number')
2444 }
2445 return Buffer(arg, encodingOrOffset, length)
2446 }
2447
2448 SafeBuffer.alloc = function (size, fill, encoding) {
2449 if (typeof size !== 'number') {
2450 throw new TypeError('Argument must be a number')
2451 }
2452 var buf = Buffer(size)
2453 if (fill !== undefined) {
2454 if (typeof encoding === 'string') {
2455 buf.fill(fill, encoding)
2456 } else {
2457 buf.fill(fill)
2458 }
2459 } else {
2460 buf.fill(0)
2461 }
2462 return buf
2463 }
2464
2465 SafeBuffer.allocUnsafe = function (size) {
2466 if (typeof size !== 'number') {
2467 throw new TypeError('Argument must be a number')
2468 }
2469 return Buffer(size)
2470 }
2471
2472 SafeBuffer.allocUnsafeSlow = function (size) {
2473 if (typeof size !== 'number') {
2474 throw new TypeError('Argument must be a number')
2475 }
2476 return buffer.SlowBuffer(size)
2477 }
2478
2479
2480 /***/ }),
2481 /* 8 */
23612482 /***/ (function(module, exports, __webpack_require__) {
23622483
23632484 "use strict";
30963217
30973218
30983219 /***/ }),
3099 /* 7 */
3100 /***/ (function(module, exports, __webpack_require__) {
3101
3102 "use strict";
3103 /* WEBPACK VAR INJECTION */(function(process) {
3104
3105 if (typeof process === 'undefined' ||
3106 !process.version ||
3107 process.version.indexOf('v0.') === 0 ||
3108 process.version.indexOf('v1.') === 0 && process.version.indexOf('v1.8.') !== 0) {
3109 module.exports = { nextTick: nextTick };
3110 } else {
3111 module.exports = process
3112 }
3113
3114 function nextTick(fn, arg1, arg2, arg3) {
3115 if (typeof fn !== 'function') {
3116 throw new TypeError('"callback" argument must be a function');
3117 }
3118 var len = arguments.length;
3119 var args, i;
3120 switch (len) {
3121 case 0:
3122 case 1:
3123 return process.nextTick(fn);
3124 case 2:
3125 return process.nextTick(function afterTickOne() {
3126 fn.call(null, arg1);
3127 });
3128 case 3:
3129 return process.nextTick(function afterTickTwo() {
3130 fn.call(null, arg1, arg2);
3131 });
3132 case 4:
3133 return process.nextTick(function afterTickThree() {
3134 fn.call(null, arg1, arg2, arg3);
3135 });
3136 default:
3137 args = new Array(len - 1);
3138 i = 0;
3139 while (i < args.length) {
3140 args[i++] = arguments[i];
3141 }
3142 return process.nextTick(function afterTick() {
3143 fn.apply(null, args);
3144 });
3145 }
3146 }
3147
3148
3149 /* WEBPACK VAR INJECTION */}.call(exports, __webpack_require__(1)))
3150
3151 /***/ }),
3152 /* 8 */
3153 /***/ (function(module, exports, __webpack_require__) {
3154
3155 /* eslint-disable node/no-deprecated-api */
3156 var buffer = __webpack_require__(3)
3157 var Buffer = buffer.Buffer
3158
3159 // alternative to using Object.keys for old browsers
3160 function copyProps (src, dst) {
3161 for (var key in src) {
3162 dst[key] = src[key]
3163 }
3164 }
3165 if (Buffer.from && Buffer.alloc && Buffer.allocUnsafe && Buffer.allocUnsafeSlow) {
3166 module.exports = buffer
3167 } else {
3168 // Copy properties from require('buffer')
3169 copyProps(buffer, exports)
3170 exports.Buffer = SafeBuffer
3171 }
3172
3173 function SafeBuffer (arg, encodingOrOffset, length) {
3174 return Buffer(arg, encodingOrOffset, length)
3175 }
3176
3177 // Copy static methods from Buffer
3178 copyProps(Buffer, SafeBuffer)
3179
3180 SafeBuffer.from = function (arg, encodingOrOffset, length) {
3181 if (typeof arg === 'number') {
3182 throw new TypeError('Argument must not be a number')
3183 }
3184 return Buffer(arg, encodingOrOffset, length)
3185 }
3186
3187 SafeBuffer.alloc = function (size, fill, encoding) {
3188 if (typeof size !== 'number') {
3189 throw new TypeError('Argument must be a number')
3190 }
3191 var buf = Buffer(size)
3192 if (fill !== undefined) {
3193 if (typeof encoding === 'string') {
3194 buf.fill(fill, encoding)
3195 } else {
3196 buf.fill(fill)
3197 }
3198 } else {
3199 buf.fill(0)
3200 }
3201 return buf
3202 }
3203
3204 SafeBuffer.allocUnsafe = function (size) {
3205 if (typeof size !== 'number') {
3206 throw new TypeError('Argument must be a number')
3207 }
3208 return Buffer(size)
3209 }
3210
3211 SafeBuffer.allocUnsafeSlow = function (size) {
3212 if (typeof size !== 'number') {
3213 throw new TypeError('Argument must be a number')
3214 }
3215 return buffer.SlowBuffer(size)
3216 }
3217
3218
3219 /***/ }),
32203220 /* 9 */
32213221 /***/ (function(module, exports, __webpack_require__) {
32223222
37393739 var response = __webpack_require__(13)
37403740 var extend = __webpack_require__(41)
37413741 var statusCodes = __webpack_require__(42)
3742 var url = __webpack_require__(6)
3742 var url = __webpack_require__(8)
37433743
37443744 var http = exports
37453745
41764176
41774177 /*<replacement>*/
41784178
4179 var pna = __webpack_require__(7);
4179 var pna = __webpack_require__(6);
41804180 /*</replacement>*/
41814181
41824182 module.exports = Readable;
42054205
42064206 /*<replacement>*/
42074207
4208 var Buffer = __webpack_require__(8).Buffer;
4208 var Buffer = __webpack_require__(7).Buffer;
42094209 var OurUint8Array = global.Uint8Array || function () {};
42104210 function _uint8ArrayToBuffer(chunk) {
42114211 return Buffer.from(chunk);
51885188
51895189 /*<replacement>*/
51905190
5191 var pna = __webpack_require__(7);
5191 var pna = __webpack_require__(6);
51925192 /*</replacement>*/
51935193
51945194 // undocumented cb() API, needed for core, not for public API
52935293
52945294 /*<replacement>*/
52955295
5296 var pna = __webpack_require__(7);
5296 var pna = __webpack_require__(6);
52975297 /*</replacement>*/
52985298
52995299 module.exports = Writable;
53465346
53475347 /*<replacement>*/
53485348
5349 var Buffer = __webpack_require__(8).Buffer;
5349 var Buffer = __webpack_require__(7).Buffer;
53505350 var OurUint8Array = global.Uint8Array || function () {};
53515351 function _uint8ArrayToBuffer(chunk) {
53525352 return Buffer.from(chunk);
59835983
59845984 /*<replacement>*/
59855985
5986 var Buffer = __webpack_require__(8).Buffer;
5986 var Buffer = __webpack_require__(7).Buffer;
59875987 /*</replacement>*/
59885988
59895989 var isEncoding = Buffer.isEncoding || function (encoding) {
64946494 /* 22 */
64956495 /***/ (function(module, exports, __webpack_require__) {
64966496
6497 /* WEBPACK VAR INJECTION */(function(process, Buffer) {var parse = __webpack_require__(6).parse
6498 var URL = __webpack_require__(6).URL
6497 /* WEBPACK VAR INJECTION */(function(process, Buffer) {var parse = __webpack_require__(8).parse
64996498 var events = __webpack_require__(9)
65006499 var https = __webpack_require__(31)
65016500 var http = __webpack_require__(11)
65136512 var carriageReturn = 13
65146513 // Beyond 256KB we could not observe any gain in performance
65156514 var maxBufferAheadAllocation = 1024 * 256
6515 // Headers matching the pattern should be removed when redirecting to different origin
6516 var reUnsafeHeader = /^(cookie|authorization)$/i
65166517
65176518 function hasBom (buf) {
65186519 return bom.every(function (charCode, index) {
65296530 **/
65306531 function EventSource (url, eventSourceInitDict) {
65316532 var readyState = EventSource.CONNECTING
6533 var headers = eventSourceInitDict && eventSourceInitDict.headers
6534 var hasNewOrigin = false
65326535 Object.defineProperty(this, 'readyState', {
65336536 get: function () {
65346537 return readyState
65506553 readyState = EventSource.CONNECTING
65516554 _emit('error', new Event('error', {message: message}))
65526555
6553 // The url may have been changed by a temporary
6554 // redirect. If that's the case, revert it now.
6556 // The url may have been changed by a temporary redirect. If that's the case,
6557 // revert it now, and flag that we are no longer pointing to a new origin
65556558 if (reconnectUrl) {
65566559 url = reconnectUrl
65576560 reconnectUrl = null
6561 hasNewOrigin = false
65586562 }
65596563 setTimeout(function () {
65606564 if (readyState !== EventSource.CONNECTING || self.connectionInProgress) {
65676571
65686572 var req
65696573 var lastEventId = ''
6570 if (eventSourceInitDict && eventSourceInitDict.headers && eventSourceInitDict.headers['Last-Event-ID']) {
6571 lastEventId = eventSourceInitDict.headers['Last-Event-ID']
6572 delete eventSourceInitDict.headers['Last-Event-ID']
6574 if (headers && headers['Last-Event-ID']) {
6575 lastEventId = headers['Last-Event-ID']
6576 delete headers['Last-Event-ID']
65736577 }
65746578
65756579 var discardTrailingNewline = false
65836587 var isSecure = options.protocol === 'https:'
65846588 options.headers = { 'Cache-Control': 'no-cache', 'Accept': 'text/event-stream' }
65856589 if (lastEventId) options.headers['Last-Event-ID'] = lastEventId
6586 if (eventSourceInitDict && eventSourceInitDict.headers) {
6587 for (var i in eventSourceInitDict.headers) {
6588 var header = eventSourceInitDict.headers[i]
6590 if (headers) {
6591 var reqHeaders = hasNewOrigin ? removeUnsafeHeaders(headers) : headers
6592 for (var i in reqHeaders) {
6593 var header = reqHeaders[i]
65896594 if (header) {
65906595 options.headers[i] = header
65916596 }
66456650
66466651 // Handle HTTP redirects
66476652 if (res.statusCode === 301 || res.statusCode === 302 || res.statusCode === 307) {
6648 if (!res.headers.location) {
6653 var location = res.headers.location
6654 if (!location) {
66496655 // Server sent redirect response without Location header.
66506656 _emit('error', new Event('error', {status: res.statusCode, message: res.statusMessage}))
66516657 return
66526658 }
6659 var prevOrigin = new URL(url).origin
6660 var nextOrigin = new URL(location).origin
6661 hasNewOrigin = prevOrigin !== nextOrigin
66536662 if (res.statusCode === 307) reconnectUrl = url
6654 url = res.headers.location
6663 url = location
66556664 process.nextTick(connect)
66566665 return
66576666 }
69596968 Object.defineProperty(this, f, { writable: false, value: eventInitDict[f], enumerable: true })
69606969 }
69616970 }
6971 }
6972
6973 /**
6974 * Returns a new object of headers that does not include any authorization and cookie headers
6975 *
6976 * @param {Object} headers An object of headers ({[headerName]: headerValue})
6977 * @return {Object} a new object of headers
6978 * @api private
6979 */
6980 function removeUnsafeHeaders (headers) {
6981 var safe = {}
6982 for (var key in headers) {
6983 if (reUnsafeHeader.test(key)) {
6984 continue
6985 }
6986
6987 safe[key] = headers[key]
6988 }
6989
6990 return safe
69626991 }
69636992
69646993 /* WEBPACK VAR INJECTION */}.call(exports, __webpack_require__(1), __webpack_require__(3).Buffer))
80008029 /***/ (function(module, exports, __webpack_require__) {
80018030
80028031 var http = __webpack_require__(11)
8003 var url = __webpack_require__(6)
8032 var url = __webpack_require__(8)
80048033
80058034 var https = module.exports
80068035
83818410
83828411 function _classCallCheck(instance, Constructor) { if (!(instance instanceof Constructor)) { throw new TypeError("Cannot call a class as a function"); } }
83838412
8384 var Buffer = __webpack_require__(8).Buffer;
8413 var Buffer = __webpack_require__(7).Buffer;
83858414 var util = __webpack_require__(35);
83868415
83878416 function copyBuffer(src, target, offset) {
+40
-10
lib/eventsource.js less more
1515 var carriageReturn = 13
1616 // Beyond 256KB we could not observe any gain in performance
1717 var maxBufferAheadAllocation = 1024 * 256
18 // Headers matching the pattern should be removed when redirecting to different origin
19 var reUnsafeHeader = /^(cookie|authorization)$/i
1820
1921 function hasBom (buf) {
2022 return bom.every(function (charCode, index) {
3133 **/
3234 function EventSource (url, eventSourceInitDict) {
3335 var readyState = EventSource.CONNECTING
36 var headers = eventSourceInitDict && eventSourceInitDict.headers
37 var hasNewOrigin = false
3438 Object.defineProperty(this, 'readyState', {
3539 get: function () {
3640 return readyState
5256 readyState = EventSource.CONNECTING
5357 _emit('error', new Event('error', {message: message}))
5458
55 // The url may have been changed by a temporary
56 // redirect. If that's the case, revert it now.
59 // The url may have been changed by a temporary redirect. If that's the case,
60 // revert it now, and flag that we are no longer pointing to a new origin
5761 if (reconnectUrl) {
5862 url = reconnectUrl
5963 reconnectUrl = null
64 hasNewOrigin = false
6065 }
6166 setTimeout(function () {
6267 if (readyState !== EventSource.CONNECTING || self.connectionInProgress) {
6974
7075 var req
7176 var lastEventId = ''
72 if (eventSourceInitDict && eventSourceInitDict.headers && eventSourceInitDict.headers['Last-Event-ID']) {
73 lastEventId = eventSourceInitDict.headers['Last-Event-ID']
74 delete eventSourceInitDict.headers['Last-Event-ID']
77 if (headers && headers['Last-Event-ID']) {
78 lastEventId = headers['Last-Event-ID']
79 delete headers['Last-Event-ID']
7580 }
7681
7782 var discardTrailingNewline = false
8590 var isSecure = options.protocol === 'https:'
8691 options.headers = { 'Cache-Control': 'no-cache', 'Accept': 'text/event-stream' }
8792 if (lastEventId) options.headers['Last-Event-ID'] = lastEventId
88 if (eventSourceInitDict && eventSourceInitDict.headers) {
89 for (var i in eventSourceInitDict.headers) {
90 var header = eventSourceInitDict.headers[i]
93 if (headers) {
94 var reqHeaders = hasNewOrigin ? removeUnsafeHeaders(headers) : headers
95 for (var i in reqHeaders) {
96 var header = reqHeaders[i]
9197 if (header) {
9298 options.headers[i] = header
9399 }
147153
148154 // Handle HTTP redirects
149155 if (res.statusCode === 301 || res.statusCode === 302 || res.statusCode === 307) {
150 if (!res.headers.location) {
156 var location = res.headers.location
157 if (!location) {
151158 // Server sent redirect response without Location header.
152159 _emit('error', new Event('error', {status: res.statusCode, message: res.statusMessage}))
153160 return
154161 }
162 var prevOrigin = new URL(url).origin
163 var nextOrigin = new URL(location).origin
164 hasNewOrigin = prevOrigin !== nextOrigin
155165 if (res.statusCode === 307) reconnectUrl = url
156 url = res.headers.location
166 url = location
157167 process.nextTick(connect)
158168 return
159169 }
462472 }
463473 }
464474 }
475
476 /**
477 * Returns a new object of headers that does not include any authorization and cookie headers
478 *
479 * @param {Object} headers An object of headers ({[headerName]: headerValue})
480 * @return {Object} a new object of headers
481 * @api private
482 */
483 function removeUnsafeHeaders (headers) {
484 var safe = {}
485 for (var key in headers) {
486 if (reUnsafeHeader.test(key)) {
487 continue
488 }
489
490 safe[key] = headers[key]
491 }
492
493 return safe
494 }
+2
-2
package-lock.json less more
00 {
11 "name": "eventsource",
2 "version": "2.0.1",
2 "version": "2.0.2",
33 "lockfileVersion": 2,
44 "requires": true,
55 "packages": {
66 "": {
77 "name": "eventsource",
8 "version": "2.0.1",
8 "version": "2.0.2",
99 "license": "MIT",
1010 "devDependencies": {
1111 "buffer-from": "^1.1.1",
+1
-1
package.json less more
00 {
11 "name": "eventsource",
2 "version": "2.0.1",
2 "version": "2.0.2",
33 "description": "W3C compliant EventSource client for Node.js and browser (polyfill)",
44 "keywords": [
55 "eventsource",
+43
-0
test/eventsource_test.js less more
575575 es.onopen = function () {
576576 assert.ok(clientRequestedRedirectUrl)
577577 assert.equal(server.url + redirectSuffix, es.url)
578 server.close(done)
579 }
580 })
581 })
582
583 it('follows http ' + status + ' redirects, drops sensitive headers on origin change', function (done) {
584 var redirectSuffix = '/foobar'
585 var clientRequestedRedirectUrl = false
586 var receivedHeaders = {}
587 createServer(function (err, server) {
588 if (err) return done(err)
589
590 var newServerUrl = server.url.replace('http://localhost', 'http://127.0.0.1')
591
592 server.on('request', function (req, res) {
593 if (req.url === '/') {
594 res.writeHead(status, {
595 'Connection': 'Close',
596 'Location': newServerUrl + redirectSuffix
597 })
598 res.end()
599 } else if (req.url === redirectSuffix) {
600 clientRequestedRedirectUrl = true
601 receivedHeaders = req.headers
602 res.writeHead(200, {'Content-Type': 'text/event-stream'})
603 res.end()
604 }
605 })
606
607 var es = new EventSource(server.url, {
608 headers: {
609 keep: 'me',
610 authorization: 'Bearer someToken',
611 cookie: 'some-cookie=yep'
612 }
613 })
614
615 es.onopen = function () {
616 assert.ok(clientRequestedRedirectUrl)
617 assert.equal(newServerUrl + redirectSuffix, es.url)
618 assert.equal(receivedHeaders.keep, 'me', 'safe header no longer present')
619 assert.equal(typeof receivedHeaders.authorization, 'undefined', 'authorization header still present')
620 assert.equal(typeof receivedHeaders.cookie, 'undefined', 'cookie header still present')
578621 server.close(done)
579622 }
580623 })