fix: disregard protocol-relative URL to remediate SSRF, axios#6539

Author: ModyQyW

packages/core/src/utils/isAbsoluteUrl.test.ts

@@ -13,8 +13,8 @@ describe('utils::isAbsoluteUrl', () => {
     expect(isAbsoluteUrl('!valid://example.com/')).toBe(false);
   });
 
-  it('should return true if URL is protocol-relative', () => {
-    expect(isAbsoluteUrl('//example.com/')).toBe(true);
+  it('should return false if URL is protocol-relative', () => {
+    expect(isAbsoluteUrl('//example.com/')).toBe(false);
   });
 
   it('should return false if URL is relative', () => {

packages/core/src/utils/isAbsoluteUrl.ts

@@ -1,4 +1,7 @@
 export const isAbsoluteUrl = (url: string) => {
+  // A URL is considered absolute if it begins with "<scheme>://".
+  // RFC 3986 defines scheme name as a sequence of characters beginning with a letter and followed
+  // by any combination of letters, digits, plus, period, or hyphen.
   // eslint-disable-next-line regexp/no-unused-capturing-group
-  return /^([a-z][\d+.a-z-]*:)?\/\//i.test(url);
+  return /^([a-z][\d+.a-z-]*:)\/\//i.test(url);
 };