From 025cd49fbf44493f97db3f340762de1599d31910 Mon Sep 17 00:00:00 2001
From: Rui Wu <wurui.dev@gmail.com>
Date: Mon, 2 Sep 2024 14:51:43 +0800
Subject: [PATCH] fix: disregard protocol-relative URL to remediate SSRF,
 axios#6539

---
 packages/core/src/utils/isAbsoluteUrl.test.ts | 4 ++--
 packages/core/src/utils/isAbsoluteUrl.ts      | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/core/src/utils/isAbsoluteUrl.test.ts b/packages/core/src/utils/isAbsoluteUrl.test.ts
index 30cab2c..f3f39e6 100644
--- a/packages/core/src/utils/isAbsoluteUrl.test.ts
+++ b/packages/core/src/utils/isAbsoluteUrl.test.ts
@@ -13,8 +13,8 @@ describe('utils::isAbsoluteUrl', () => {
     expect(isAbsoluteUrl('!valid://example.com/')).toBe(false);
   });
 
-  it('should return true if URL is protocol-relative', () => {
-    expect(isAbsoluteUrl('//example.com/')).toBe(true);
+  it('should return false if URL is protocol-relative', () => {
+    expect(isAbsoluteUrl('//example.com/')).toBe(false);
   });
 
   it('should return false if URL is relative', () => {
diff --git a/packages/core/src/utils/isAbsoluteUrl.ts b/packages/core/src/utils/isAbsoluteUrl.ts
index 3f96726..78548d1 100644
--- a/packages/core/src/utils/isAbsoluteUrl.ts
+++ b/packages/core/src/utils/isAbsoluteUrl.ts
@@ -1,4 +1,7 @@
 export const isAbsoluteUrl = (url: string) => {
+  // A URL is considered absolute if it begins with "<scheme>://".
+  // RFC 3986 defines scheme name as a sequence of characters beginning with a letter and followed
+  // by any combination of letters, digits, plus, period, or hyphen.
   // eslint-disable-next-line regexp/no-unused-capturing-group
-  return /^([a-z][\d+.a-z-]*:)?\/\//i.test(url);
+  return /^([a-z][\d+.a-z-]*:)\/\//i.test(url);
 };