-
-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BaseURL config vs absolute URL #5902
Comments
Hello team, IMHO this could be a security issue, there is no mention on the documentation as far as I could see, that a full URL will always be parsed as such after setting the BaseURL attribute. I know that it could be a breaking change, but by default if BaseURL is set it should never try to identify if the path parameter is a full and always attempt to create the final URL using the baseURL+path. |
Hi |
Just pushed a PR allowing you to change Minimal example: Will make a request to
Minimal example 2: Will make a request to
|
Is your feature request related to a problem? Please describe.
I think that less experienced developers are unaware of how Axios behaves in terms of prioritizing absolute URLs over the BaseURL attribute configuration.
This situation could generate SSRF type vulnerabilities in use cases such as:
A malicious user could enter path values like 'http://evil.com/' (absolute URL) and direct the request to a different site.
Describe the solution you'd like
While it is possible to validate that user input does not contain absolute URLs, I find it safer to have a configuration attribute that allows or denies absolute URLs. Example:
allowAbsoluteURL = false/true
The value true would reflect normal Axios behavior.
The value false generates an exception in requests when each of the following conditions are met:
Describe alternatives you've considered
No response
Additional context/Screenshots
No response
The text was updated successfully, but these errors were encountered: