github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 10:40:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

Disable allowAbsoluteUrls for axios (#215138)

Browse source 
## Summary
After https://github.com/elastic/kibana/pull/214843, `axios` client
usages need to set a flag to prevent the vulnerable behavior.

To reviewers: if you think it's a mistake, and you created a client to
request for absolute URLs, consider unsetting the `baseURL` to
communicate intent.
This commit is contained in:
Alex Szabo 2025-03-25 09:52:36 +01:00 committed by GitHub
parent bf5af0d011
commit e40b17aa22
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
packages/kbn-ci-stats-performance-metrics/src/apm_client.ts
View file

@ -54,6 +54,7 @@ export class ApmClient {
auth, auth,
baseURL, baseURL,
timeout, timeout,
allowAbsoluteUrls: false,
}); });
this.logger = logger || console; this.logger = logger || console;

2
packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.test.ts
View file

@ -102,6 +102,7 @@ it('captures a list of failed test issue, loads the bodies for each issue, and o
"calls": Array [ "calls": Array [
Array [ Array [
Object { Object {
"allowAbsoluteUrls": false,
"baseURL": "https://ci-stats.kibana.dev", "baseURL": "https://ci-stats.kibana.dev",
"data": Object { "data": Object {
"failures": Array [ "failures": Array [
@ -117,6 +118,7 @@ it('captures a list of failed test issue, loads the bodies for each issue, and o
], ],
Array [ Array [
Object { Object {
"allowAbsoluteUrls": false,
"baseURL": "https://ci-stats.kibana.dev", "baseURL": "https://ci-stats.kibana.dev",
"data": Object { "data": Object {
"failures": Array [ "failures": Array [

1
packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.ts
View file

@ -119,6 +119,7 @@ export class ExistingFailedTestIssues {
const resp = await Axios.request<FindFailedTestIssuesResponse>({ const resp = await Axios.request<FindFailedTestIssuesResponse>({
method: 'POST', method: 'POST',
baseURL: BASE_URL, baseURL: BASE_URL,
allowAbsoluteUrls: false,
url: '/v1/find_failed_test_issues', url: '/v1/find_failed_test_issues',
data: { data: {
failures: failures.map((f) => ({ failures: failures.map((f) => ({

1
src/dev/prs/github_api.ts
View file

@ -29,6 +29,7 @@ export class GithubApi {
constructor(private accessToken?: string) { constructor(private accessToken?: string) {
this.api = axios.create({ this.api = axios.create({
baseURL: 'https://api.github.com/', baseURL: 'https://api.github.com/',
allowAbsoluteUrls: false,
headers: { headers: {
Accept: 'application/vnd.github.v3+json', Accept: 'application/vnd.github.v3+json',
'User-Agent': 'kibana/update_prs_cli', 'User-Agent': 'kibana/update_prs_cli',

1
src/platform/packages/private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts
View file

@ -372,6 +372,7 @@ export class CiStatsReporter {
method: 'POST', method: 'POST',
url: path, url: path,
baseURL: BASE_URL, baseURL: BASE_URL,
allowAbsoluteUrls: false,
headers, headers,
data: body, data: body,
params: query, params: query,

1
x-pack/platform/plugins/shared/actions/server/lib/axios_utils.test.ts
View file

@ -405,6 +405,7 @@ describe('request', () => {
defaults: { defaults: {
...axios.defaults, ...axios.defaults,
baseURL: 'https://here-we-go.com', baseURL: 'https://here-we-go.com',
allowAbsoluteUrls: false,
}, },
} as unknown as AxiosInstance, } as unknown as AxiosInstance,
url: '/test', url: '/test',

1
x-pack/platform/plugins/shared/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
View file

@ -23,6 +23,7 @@ export async function callKibana<T>({
const { data } = await axios.request({ const { data } = await axios.request({
...options, ...options,
baseURL: baseUrl, baseURL: baseUrl,
allowAbsoluteUrls: false,
auth: { username, password }, auth: { username, password },
headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers }, headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
}); });

1
x-pack/solutions/observability/plugins/apm/scripts/diagnostics_bundle/diagnostics_bundle.ts
View file

@ -53,6 +53,7 @@ export async function initDiagnosticsBundle({
const kibanaClientOpts = { const kibanaClientOpts = {
baseURL: kbHost ?? parsedCloudId.kibanaHost, baseURL: kbHost ?? parsedCloudId.kibanaHost,
allowAbsoluteUrls: false,
auth, auth,
headers: { headers: {
'kbn-xsrf': 'true', 'kbn-xsrf': 'true',

1
x-pack/solutions/observability/plugins/apm/server/test_helpers/create_apm_users/helpers/call_kibana.ts
View file

@ -27,6 +27,7 @@ export async function callKibana<T>({
const { data } = await axios.request({ const { data } = await axios.request({
...options, ...options,
baseURL: baseUrl, baseURL: baseUrl,
allowAbsoluteUrls: false,
auth: { username, password }, auth: { username, password },
headers: { ...DEFAULT_HEADERS, ...options.headers }, headers: { ...DEFAULT_HEADERS, ...options.headers },
}); });

1
x-pack/solutions/observability/plugins/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
View file

@ -23,6 +23,7 @@ export async function callKibana<T>({
const { data } = await axios.request({ const { data } = await axios.request({
...options, ...options,
baseURL: baseUrl, baseURL: baseUrl,
allowAbsoluteUrls: false,
auth: { username, password }, auth: { username, password },
headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers }, headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
}); });

1
x-pack/test/common/services/spaces.ts
View file

@ -48,6 +48,7 @@ export function SpacesServiceProvider({ getService }: FtrProviderContext) {
'kbn-xsrf': 'x-pack/ftr/services/spaces/space', 'kbn-xsrf': 'x-pack/ftr/services/spaces/space',
}, },
baseURL: url, baseURL: url,
allowAbsoluteUrls: false,
maxRedirects: 0, maxRedirects: 0,
validateStatus: () => true, // we do our own validation below and throw better error messages validateStatus: () => true, // we do our own validation below and throw better error messages
httpsAgent, httpsAgent,

1
x-pack/test/profiling_api_integration/common/create_profiling_users/helpers/call_kibana.ts
View file

@ -23,6 +23,7 @@ export async function callKibana<T>({
const { data } = await axios.request({ const { data } = await axios.request({
...options, ...options,
baseURL: baseUrl, baseURL: baseUrl,
allowAbsoluteUrls: false,
auth: { username, password }, auth: { username, password },
headers: { 'kbn-xsrf': 'true', ...options.headers }, headers: { 'kbn-xsrf': 'true', ...options.headers },
}); });

1
x-pack/test/ui_capabilities/common/services/features.ts
View file

@ -19,6 +19,7 @@ export class FeaturesService {
this.axios = axios.create({ this.axios = axios.create({
headers: { 'kbn-xsrf': 'x-pack/ftr/services/features' }, headers: { 'kbn-xsrf': 'x-pack/ftr/services/features' },
baseURL: url, baseURL: url,
allowAbsoluteUrls: false,
maxRedirects: 0, maxRedirects: 0,
validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors
}); });

1
x-pack/test/ui_capabilities/common/services/ui_capabilities.ts
View file

@ -39,6 +39,7 @@ export class UICapabilitiesService {
this.axios = axios.create({ this.axios = axios.create({
headers: { 'kbn-xsrf': 'x-pack/ftr/services/ui_capabilities' }, headers: { 'kbn-xsrf': 'x-pack/ftr/services/ui_capabilities' },
baseURL: url, baseURL: url,
allowAbsoluteUrls: false,
maxRedirects: 0, maxRedirects: 0,
validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors
}); });