[8.18] Disable allowAbsoluteUrls for axios (#215138) (#215828)

# Backport

This will backport the following commits from `main` to `8.18`:
- [Disable `allowAbsoluteUrls` for axios
(#215138)](https://github.com/elastic/kibana/pull/215138)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Alex
Szabo","email":"alex.szabo@elastic.co"},"sourceCommit":{"committedDate":"2025-03-25T08:52:36Z","message":"Disable
`allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter
https://github.com/elastic/kibana/pull/214843, `axios` client\nusages
need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers:
if you think it's a mistake, and you created a client to\nrequest for
absolute URLs, consider unsetting the `baseURL` to\ncommunicate
intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","Team:QA","Team:Security","release_note:skip","backport:all-open","Team:obs-ux-logs","Team:obs-ux-infra_services","v9.1.0"],"title":"Disable
`allowAbsoluteUrls` for
axios","number":215138,"url":"https://github.com/elastic/kibana/pull/215138","mergeCommit":{"message":"Disable
`allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter
https://github.com/elastic/kibana/pull/214843, `axios` client\nusages
need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers:
if you think it's a mistake, and you created a client to\nrequest for
absolute URLs, consider unsetting the `baseURL` to\ncommunicate
intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215138","number":215138,"mergeCommit":{"message":"Disable
`allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter
https://github.com/elastic/kibana/pull/214843, `axios` client\nusages
need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers:
if you think it's a mistake, and you created a client to\nrequest for
absolute URLs, consider unsetting the `baseURL` to\ncommunicate
intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14"}}]}]
BACKPORT-->

---------

Co-authored-by: Alex Szabo <alex.szabo@elastic.co>

package.json

@@ -1082,7 +1082,7 @@
     "archiver": "^7.0.1",
     "async": "^3.2.6",
     "aws4": "^1.13.2",
-    "axios": "^1.8.2",
+    "axios": "^1.8.3",
     "base64-js": "^1.3.1",
     "bitmap-sdf": "^1.0.3",
     "blurhash": "^2.0.1",

packages/kbn-ci-stats-performance-metrics/src/apm_client.ts

@@ -54,6 +54,7 @@ export class ApmClient {
       auth,
       baseURL,
       timeout,
+      allowAbsoluteUrls: false,
     });
 
     this.logger = logger || console;

packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.test.ts

@@ -102,6 +102,7 @@ it('captures a list of failed test issue, loads the bodies for each issue, and o
       "calls": Array [
         Array [
           Object {
+            "allowAbsoluteUrls": false,
             "baseURL": "https://ci-stats.kibana.dev",
             "data": Object {
               "failures": Array [
@@ -117,6 +118,7 @@ it('captures a list of failed test issue, loads the bodies for each issue, and o
         ],
         Array [
           Object {
+            "allowAbsoluteUrls": false,
             "baseURL": "https://ci-stats.kibana.dev",
             "data": Object {
               "failures": Array [

packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.ts

@@ -119,6 +119,7 @@ export class ExistingFailedTestIssues {
         const resp = await Axios.request<FindFailedTestIssuesResponse>({
           method: 'POST',
           baseURL: BASE_URL,
+          allowAbsoluteUrls: false,
           url: '/v1/find_failed_test_issues',
           data: {
             failures: failures.map((f) => ({

src/dev/prs/github_api.ts

@@ -29,6 +29,7 @@ export class GithubApi {
   constructor(private accessToken?: string) {
     this.api = axios.create({
       baseURL: 'https://api.github.com/',
+      allowAbsoluteUrls: false,
       headers: {
         Accept: 'application/vnd.github.v3+json',
         'User-Agent': 'kibana/update_prs_cli',

src/platform/packages/private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts

@@ -372,6 +372,7 @@ export class CiStatsReporter {
           method: 'POST',
           url: path,
           baseURL: BASE_URL,
+          allowAbsoluteUrls: false,
           headers,
           data: body,
           params: query,

x-pack/platform/plugins/shared/actions/server/lib/axios_utils.test.ts

@@ -404,6 +404,7 @@ describe('request', () => {
           defaults: {
             ...axios.defaults,
             baseURL: 'https://here-we-go.com',
+            allowAbsoluteUrls: false,
           },
         } as unknown as AxiosInstance,
         url: '/test',

x-pack/platform/plugins/shared/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts

@@ -23,6 +23,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
   });

x-pack/solutions/observability/plugins/apm/scripts/diagnostics_bundle/diagnostics_bundle.ts

@@ -51,6 +51,7 @@ export async function initDiagnosticsBundle({
 
   const kibanaClientOpts = {
     baseURL: kbHost ?? parsedCloudId.kibanaHost,
+    allowAbsoluteUrls: false,
     auth,
     headers: {
       'kbn-xsrf': 'true',

x-pack/solutions/observability/plugins/apm/server/test_helpers/create_apm_users/helpers/call_kibana.ts

@@ -27,6 +27,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { ...DEFAULT_HEADERS, ...options.headers },
   });

x-pack/solutions/observability/plugins/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts

@@ -23,6 +23,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
   });

x-pack/test/common/services/spaces.ts

@@ -48,6 +48,7 @@ export function SpacesServiceProvider({ getService }: FtrProviderContext) {
       'kbn-xsrf': 'x-pack/ftr/services/spaces/space',
     },
     baseURL: url,
+    allowAbsoluteUrls: false,
     maxRedirects: 0,
     validateStatus: () => true, // we do our own validation below and throw better error messages
     httpsAgent,

x-pack/test/profiling_api_integration/common/create_profiling_users/helpers/call_kibana.ts

@@ -23,6 +23,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { 'kbn-xsrf': 'true', ...options.headers },
   });

x-pack/test/ui_capabilities/common/services/features.ts

@@ -19,6 +19,7 @@ export class FeaturesService {
     this.axios = axios.create({
       headers: { 'kbn-xsrf': 'x-pack/ftr/services/features' },
       baseURL: url,
+      allowAbsoluteUrls: false,
       maxRedirects: 0,
       validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors
     });

x-pack/test/ui_capabilities/common/services/ui_capabilities.ts

@@ -39,6 +39,7 @@ export class UICapabilitiesService {
     this.axios = axios.create({
       headers: { 'kbn-xsrf': 'x-pack/ftr/services/ui_capabilities' },
       baseURL: url,
+      allowAbsoluteUrls: false,
       maxRedirects: 0,
       validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors
     });

yarn.lock

@@ -14183,10 +14183,10 @@ axe-core@^4.2.0, axe-core@^4.6.2:
   resolved "https://registry.yarnpkg.com/axe-core/-/axe-core-4.7.2.tgz#040a7342b20765cb18bb50b628394c21bccc17a0"
   integrity sha512-zIURGIS1E1Q4pcrMjp+nnEh+16G56eG/MUllJH8yEvw7asDo7Ac9uhC9KIH5jzpITueEZolfYglnCGIuSBz39g==
 
-axios@^1.0.0, axios@^1.6.0, axios@^1.6.2, axios@^1.7.4, axios@^1.8.2:
-  version "1.8.2"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.2.tgz#fabe06e241dfe83071d4edfbcaa7b1c3a40f7979"
-  integrity sha512-ls4GYBm5aig9vWx8AWDSGLpnpDQRtWAfrjU+EuytuODrFBkqesN2RkOQCBzrA1RQNHw1SmRMSDDDSwzNAYQ6Rg==
+axios@^1.0.0, axios@^1.6.0, axios@^1.6.2, axios@^1.7.4, axios@^1.8.3:
+  version "1.8.3"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.3.tgz#9ebccd71c98651d547162a018a1a95a4b4ed4de8"
+  integrity sha512-iP4DebzoNlP/YN2dpwCgb8zoCmhtkajzS48JvwmkSkXvPI3DHc7m+XYL5tGnSlJtR6nImXZmdCuN5aP8dh1d8A==
   dependencies:
     follow-redirects "^1.15.6"
     form-data "^4.0.0"