google-maps-services-js icon indicating copy to clipboard operation
google-maps-services-js copied to clipboard

Cross-site Request Forgery (CSRF) issue with Axios, replace with fetch?

Open alexbjorlig opened this issue 2 years ago • 7 comments

There is a new CSRF issue with Axios, check more here: https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Maybe it's time to switch Axios with fetch? Would also make it more easy to support different runtimes than Node.js - like Cloudflare workers.

alexbjorlig avatar Oct 25 '23 20:10 alexbjorlig

If you would like to upvote the priority of this issue, please comment below or react on the original post above with :+1: so we can see what is popular when we triage.

@alexbjorlig Thank you for opening this issue. 🙏 Please check out these other resources that might help you get to a resolution in the meantime:

This is an automated message, feel free to ignore.

wangela avatar Oct 25 '23 20:10 wangela

@alexbjorlig did you resort to using fetch?

flashblaze avatar Nov 12 '23 18:11 flashblaze

@flashblaze I reported this, because this repo is using Axios - not me 😎

alexbjorlig avatar Nov 12 '23 18:11 alexbjorlig

That issue doesn't affect our library at all and only applies for usage of axios in the browser. However, we will still update to newer versions of axios as they become available.

usefulthink avatar Dec 06 '23 13:12 usefulthink

100% - would be amazing if npm security audits were more intelligent, but well 😅

alexbjorlig avatar Dec 06 '23 13:12 alexbjorlig

That issue doesn't affect our library at all and only applies for usage of axios in the browser. @usefulthink

There still is an issue with other then Node and browser environments - Cloudlfare, Deno etc. where Axios does not work (and they are not interested in supporting it).

iBobik avatar Feb 05 '24 18:02 iBobik

Possible workaround is to use this library only for types, but send requests by anything our environment likes:

import { defaultUrl, PlaceAutocompleteRequest, PlaceAutocompleteResponseData } from '@googlemaps/google-maps-services-js/dist/places/autocomplete'

const { googleMapsApiKey } = useRuntimeConfig()

export default defineEventHandler<{ query: {
  input: string
  language: string
  sessionToken: string
} }>(async (event) => {
  const { input, language, sessionToken } = getQuery(event)

  try {
    const data = await $fetch<PlaceAutocompleteResponseData>(defaultUrl, {
      query: {
        input,
        language,
        key: googleMapsApiKey,
        sessiontoken: sessionToken,
      } as PlaceAutocompleteRequest['params']
    })
    if (data.status !== 'OK' && data.status !== 'ZERO_RESULTS')
      throw createError({ statusCode: 400, statusMessage: 'Bad Request' })

    return data
  }
  catch (err) {
    console.log(err)
    throw createError({ statusCode: 500, statusMessage: 'Internal Server Error' })
  }
})

iBobik avatar Feb 07 '24 02:02 iBobik