Skip to content

Commit

Permalink
fix: disregard protocol-relative URL to remediate SSRF, axios#6539
Browse files Browse the repository at this point in the history
  • Loading branch information
@ModyQyW
ModyQyW committed Sep 2, 2024
1 parent 050182e commit 025cd49
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
4 changes: 2 additions & 2 deletions packages/core/src/utils/isAbsoluteUrl.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ describe('utils::isAbsoluteUrl', () => {
expect(isAbsoluteUrl('!valid://example.com/')).toBe(false);
});

it('should return true if URL is protocol-relative', () => {
expect(isAbsoluteUrl('//example.com/')).toBe(true);
it('should return false if URL is protocol-relative', () => {
expect(isAbsoluteUrl('//example.com/')).toBe(false);
});

it('should return false if URL is relative', () => {
Expand Down
5 changes: 4 additions & 1 deletion packages/core/src/utils/isAbsoluteUrl.ts
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
export const isAbsoluteUrl = (url: string) => {
// A URL is considered absolute if it begins with "<scheme>://".
// RFC 3986 defines scheme name as a sequence of characters beginning with a letter and followed
// by any combination of letters, digits, plus, period, or hyphen.
// eslint-disable-next-line regexp/no-unused-capturing-group
return /^([a-z][\d+.a-z-]*:)?\/\//i.test(url);
return /^([a-z][\d+.a-z-]*:)\/\//i.test(url);
};

0 comments on commit 025cd49

Please # to comment.