fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)

valentin-panov · DigitalBrainJS · web-flow · commit 96ee232bd3ee · 2023-10-26T22:54:06.000+03:00
Co-authored-by: DigitalBrainJS &lt;robotshara@gmail.com&gt;
diff --git a/lib/adapters/xhr.js b/lib/adapters/xhr.js
@@ -188,8 +188,8 @@ export default isXHRAdapterSupported && function (config) {
     // Specifically not if we're in a web worker, or react-native.
     if (platform.isStandardBrowserEnv) {
       // Add xsrf header
-      const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
-        && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+      // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
+      const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
 
       if (xsrfValue) {
         requestHeaders.set(config.xsrfHeaderName, xsrfValue);
diff --git a/test/specs/xsrf.spec.js b/test/specs/xsrf.spec.js
@@ -67,15 +67,15 @@ describe('xsrf', function () {
     });
   });
 
-  it('should set xsrf header for cross origin when using withCredentials', function (done) {
+  it('should not set xsrf header for cross origin when using withCredentials', function (done) {
     document.cookie = axios.defaults.xsrfCookieName + '=12345';
 
     axios('http://example.com/', {
       withCredentials: true
     });
 
     getAjaxRequest().then(function (request) {
-      expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual('12345');
+      expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
       done();
     });
   });
