kevva / caw Goto Github PK

Hello,

Will be great to support NO_PROXY variables like request module
ex: https://github.com/request/request/blob/master/lib/getProxyFromURI.js#L40

This is an standard in *nix systems:
https://www.gnu.org/software/emacs/manual/html_node/url/Proxies.html

Vulnerability described in more detail here: https://snyk.io/vuln/npm:tunnel-agent:20170305

I'm not sure if caw is using tunnel-agent in a way that this vulnerability is exploitable, but it looks like tunnel agent should be safe to update (the only change to it since 2015 was to address this vulnerability) and doing so will save the whole ecosystem from getting Snyk warnings about this.

I'm happy to submit a PR, but I think it's just a package.json change.

env var override:

caw({
    proxyUrl: 'http://proxy/'
})

proxy headers:

caw({
    proxyHeaders: {
        'user-agent': 'my app'
    }
})

It doesn't support NO_PROXY and does not take an input URL (or protocol) to discern which env var to use, as there can be multiple. Meanwhile, proxy-from-env does all of this and more.

tunnel-agent, not tunnel

You may already be aware of this issue, but I figured I'd post it here anyway, just in case I'm wrong. (I don't see it already posted.)

When running an npm audit on my Laravel project, I get several Moderate security vulnerabilities related to the tunnel-agent dependency. It seems there is a patch available, but it requires that you update caw so that it will use tunnel-agent version >=0.6.0:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ laravel-mix > img-loader > imagemin-gifsicle > gifsicle >    │
│               │ bin-build > download > caw > tunnel-agent                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

The 2.0.0 version also contains a vulnerability introduced through the [email protected] package, which you updated to the 0.6.0 version in [email protected], but didn't published.

It would be nice if the GitHub package was the same as the one in the npm registry.

Should we care about them?

Don't use url.parse() as it will most likely be deprecated within a few years.

I'm having trouble getting caw to work with got, and I'm trying to figure out whether the issue is because of the proxy itself or because of how I'm configuring caw. If my proxy IP is something like 1.2.3.4 and port is 555 and it's an HTTPS proxy, should the string argument be exactly https://1.2.3.4:555, or does it expect it in a different format?

Couldn't get the tests to work so I'm not 100% this works. @floatdrop, you'd probably know how to fix this I guess :).

Hi,

Not sure this is the correct module as the error seems to stem from bin-wrapper, but surface in caw.

https://gist.github.com/AlexMeah/7e68c4d1df08d1d28879

It looks as though in bin-wrapper you new an instance of download without proxy, then in download pass this.opts.proxy which is undefined through to caw which then assigns undefined to opts.

Cheers.

as they needn't be single-use.

How can I pass caw a username/password required by the proxy I want to use?

Environmental variables can't do this, but something like os-proxy might.