fix: update as per cubic

jasonsaayman · jasonsaayman · commit 58816eabc989 · 2026-05-02T12:33:55.000+02:00
diff --git a/lib/core/AxiosError.js b/lib/core/AxiosError.js
@@ -56,7 +56,7 @@ function redactConfig(config, redactKeys) {
         return source;
       }
 
-      result = {};
+      result = Object.create(null);
       for (const [key, value] of Object.entries(source)) {
         const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value);
         if (!utils.isUndefined(reducedValue)) {
diff --git a/lib/helpers/shouldBypassProxy.js b/lib/helpers/shouldBypassProxy.js
@@ -93,8 +93,8 @@ const parseNoProxyEntry = (entry) => {
 // (Node's URL parser normalises that to `[::ffff:c0a8:105]`), and vice-versa,
 // allowing the proxy-bypass policy to be circumvented by using the alternate
 // representation. Returns the input unchanged when not IPv4-mapped.
-const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i;
-const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;
+const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i;
+const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;
 
 const unmapIPv4MappedIPv6 = (host) => {
   if (typeof host !== 'string' || host.indexOf(':') === -1) return host;
diff --git a/tests/unit/core/AxiosError.test.js b/tests/unit/core/AxiosError.test.js
@@ -316,6 +316,22 @@ describe('core::AxiosError', () => {
       }
     });
 
+    it('copies __proto__ as data without changing the redaction output prototype', () => {
+      const config = { redact: ['password'] };
+      Object.defineProperty(config, '__proto__', {
+        value: { password: 'secret' },
+        enumerable: true,
+        configurable: true,
+      });
+
+      const error = new AxiosError('Boom', 'ECODE', config);
+      const json = error.toJSON();
+
+      expect(Object.getPrototypeOf(json.config)).toBe(null);
+      expect(Object.prototype.hasOwnProperty.call(json.config, '__proto__')).toBe(true);
+      expect(json.config.__proto__.password).toBe('[REDACTED ****]');
+    });
+
     it('does not mutate the original config or AxiosHeaders', () => {
       const headers = new AxiosHeaders();
       headers.set('Authorization', 'Bearer abc');
diff --git a/tests/unit/helpers/shouldBypassProxy.test.js b/tests/unit/helpers/shouldBypassProxy.test.js
@@ -211,6 +211,39 @@ describe('helpers::shouldBypassProxy', () => {
       expect(shouldBypassProxy('http://[::ffff:10.0.0.1]/')).toBe(true);
     });
 
+    it('should treat compressed zero-prefix IPv4-mapped IPv6 dotted forms as equivalent', () => {
+      for (const entry of [
+        '0::ffff:192.168.1.5',
+        '0:0::ffff:192.168.1.5',
+        '0:0:0::ffff:192.168.1.5',
+        '0:0:0:0::ffff:192.168.1.5',
+      ]) {
+        setNoProxy(entry);
+
+        expect(shouldBypassProxy('http://192.168.1.5/')).toBe(true);
+      }
+    });
+
+    it('should treat compressed zero-prefix IPv4-mapped IPv6 hex forms as equivalent', () => {
+      for (const entry of [
+        '0::ffff:c0a8:105',
+        '0:0::ffff:c0a8:105',
+        '0:0:0::ffff:c0a8:105',
+        '0:0:0:0::ffff:c0a8:105',
+      ]) {
+        setNoProxy(entry);
+
+        expect(shouldBypassProxy('http://192.168.1.5/')).toBe(true);
+      }
+    });
+
+    it('should support compressed bracketed IPv4-mapped IPv6 entries with explicit ports', () => {
+      setNoProxy('[0:0::ffff:192.168.1.5]:8080');
+
+      expect(shouldBypassProxy('http://192.168.1.5:8080/')).toBe(true);
+      expect(shouldBypassProxy('http://192.168.1.5:9090/')).toBe(false);
+    });
+
     it('should NOT cross-match unrelated addresses', () => {
       setNoProxy('192.168.1.5');
 

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ function redactConfig(config, redactKeys) {`
`56`	`56`	`return source;`
`57`	`57`	`}`
`58`	`58`
`59`		`- result = {};`
	`59`	`+ result = Object.create(null);`
`60`	`60`	`for (const [key, value] of Object.entries(source)) {`
`61`	`61`	`const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value);`
`62`	`62`	`if (!utils.isUndefined(reducedValue)) {`