CSRF Vulnerability in axios via mssql@6.4.1 and Loopback-Connector-MSSQL

[Koyyataman]

Steps to reproduce

1. Use the platform@0.0.1 package with loopback-connector-mssql@3.8.0, which in turn uses mssql@6.4.1.
2. This package relies on axios@0.21.4, which is affected by a CSRF vulnerability.
3. Enable withCredentials setting, and if the X-XSRF-TOKEN header is inserted using the secret XSRF-TOKEN cookie value, CSRF vulnerability is triggered.

Current Behavior

The vulnerability is introduced through the dependency chain:
platform@0.0.1 > loopback-connector-mssql@3.8.0 > mssql@6.4.1 > tedious@6.7.1 > @azure/ms-rest-nodeauth@3.1.1 > adal-node@0.2.4 > axios@0.21.4.

When the XSRF-TOKEN cookie is available and withCredentials is enabled, the X-XSRF-TOKEN header is automatically sent in requests to the server. This can potentially bypass CSRF protections if an attacker manages to obtain this token.

Expected Behavior

• The package mssql should be updated to 11.0.1 or a version that resolves the CSRF vulnerability.
• There should be an update to axios to address the CSRF issue by improving the handling of X-XSRF-TOKEN and XSRF-TOKEN cookies.

Link to reproduction sandbox

N/A

Additional information

• node -e 'console.log(process.platform, process.arch, process.versions.node)'
  Output: <platform info>
• npm ls --prod --depth 0 | grep loopback
  Output: <dependency tree info>

Related Issues

No related issues found.

---

Note: The issue is related to the CSRF vulnerability in axios@0.21.4. The fix would require an update to the mssql dependency to resolve the security issue introduced by axios.

[dhmlau]

@Koyyataman, would you like to submit a PR for the fix?
We probably need to fix the CI first. @achrinza has a PR #242 to enable CI, but there hasn't been recent activities.