fix: backport allowAbsoluteUrls vuln fix to v0.x (#6829)

thatguyinabeanie · jasonsaayman · web-flow · commit 02c3c69ced0f · 2025-03-19T12:24:25.000+02:00
* allowAbsoluteUrls

* fix logic - copied from v1.x

* update string

* undo changes to dist/axios.js

* chore: use strict equal in lib/core/buildFullPath.js

---------

Co-authored-by: Jay &lt;jasonsaayman@gmail.com&gt;
diff --git a/lib/adapters/http.js b/lib/adapters/http.js
@@ -109,7 +109,7 @@ module.exports = function httpAdapter(config) {
     var method = config.method.toUpperCase();
 
     // Parse url
-    var fullPath = buildFullPath(config.baseURL, config.url);
+    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
     var parsed = url.parse(fullPath);
     var protocol = parsed.protocol || supportedProtocols[0];
 
diff --git a/lib/adapters/xhr.js b/lib/adapters/xhr.js
@@ -43,7 +43,7 @@ module.exports = function xhrAdapter(config) {
       requestHeaders.Authorization = 'Basic ' + btoa(username + ':' + password);
     }
 
-    var fullPath = buildFullPath(config.baseURL, config.url);
+    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
 
     request.open(config.method.toUpperCase(), buildURL(fullPath, config.params, config.paramsSerializer), true);
 
diff --git a/lib/core/Axios.js b/lib/core/Axios.js
@@ -136,7 +136,7 @@ Axios.prototype.request = function request(configOrUrl, config) {
 
 Axios.prototype.getUri = function getUri(config) {
   config = mergeConfig(this.defaults, config);
-  var fullPath = buildFullPath(config.baseURL, config.url);
+  var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
   return buildURL(fullPath, config.params, config.paramsSerializer);
 };
 
diff --git a/lib/core/buildFullPath.js b/lib/core/buildFullPath.js
@@ -10,10 +10,13 @@ var combineURLs = require('../helpers/combineURLs');
  *
  * @param {string} baseURL The base URL
  * @param {string} requestedURL Absolute or relative URL to combine
+ * @param {boolean} allowAbsoluteUrls Set to true to allow absolute URLs
+ *
  * @returns {string} The combined full path
  */
-module.exports = function buildFullPath(baseURL, requestedURL) {
-  if (baseURL && !isAbsoluteURL(requestedURL)) {
+module.exports = function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
+  var isRelativeURL = !isAbsoluteURL(requestedURL);
+  if (baseURL && (isRelativeURL || allowAbsoluteUrls === false)) {
     return combineURLs(baseURL, requestedURL);
   }
   return requestedURL;
diff --git a/test/specs/core/buildFullPath.spec.js b/test/specs/core/buildFullPath.spec.js
@@ -16,5 +16,7 @@ describe('helpers::buildFullPath', function () {
   it('should combine URLs when the baseURL and requestedURL are relative', function () {
     expect(buildFullPath('/api', '/users')).toBe('/api/users');
   });
-
+  it('should not combine the URLs when the requestedURL is absolute, allowAbsoluteUrls is false, and the baseURL is not configured', function () {
+    expect(buildFullPath(undefined, 'https://api.example.com/users', false)).toBe('https://api.example.com/users');
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ module.exports = function xhrAdapter(config) {`
`43`	`43`	`requestHeaders.Authorization = 'Basic ' + btoa(username + ':' + password);`
`44`	`44`	`}`
`45`	`45`
`46`		`- var fullPath = buildFullPath(config.baseURL, config.url);`
	`46`	`+ var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);`
`47`	`47`
`48`	`48`	`request.open(config.method.toUpperCase(), buildURL(fullPath, config.params, config.paramsSerializer), true);`
`49`	`49`