[8.17] Disable allowAbsoluteUrls for axios (#215138)#215827
Merged
kibanamachine merged 2 commits intoelastic:8.17from Mar 25, 2025
Merged
[8.17] Disable allowAbsoluteUrls for axios (#215138)#215827kibanamachine merged 2 commits intoelastic:8.17from
allowAbsoluteUrls for axios (#215138)#215827kibanamachine merged 2 commits intoelastic:8.17from
Conversation
## Summary After elastic#214843, `axios` client usages need to set a flag to prevent the vulnerable behavior. To reviewers: if you think it's a mistake, and you created a client to request for absolute URLs, consider unsetting the `baseURL` to communicate intent. (cherry picked from commit e40b17a)
botelastic
bot
added
ci:project-deploy-observability
Contributor
|
Pinging @elastic/obs-ux-infra_services-team (Team:obs-ux-infra_services) |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
Updates [axios to 1.8.3](https://github.com/axios/axios/releases/tag/v1.8.3). Axios 1.8.2 fixed a vulnerability, but forgot to reflect the new flag in their type definitions. This is probably required to allow the changes smoothly.
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @delanni |
delanni
added a commit
that referenced
this pull request
Mar 27, 2025
# Backport This will backport the following commits from `main` to `7.17`: - [Disable `allowAbsoluteUrls` for axios (#215138)](#215138) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Alex Szabo","email":"alex.szabo@elastic.co"},"sourceCommit":{"committedDate":"2025-03-25T08:52:36Z","message":"Disable `allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter #214843, `axios` client\nusages need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers: if you think it's a mistake, and you created a client to\nrequest for absolute URLs, consider unsetting the `baseURL` to\ncommunicate intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","Team:QA","Team:Security","release_note:skip","v9.0.0","backport:all-open","Team:obs-ux-logs","Team:obs-ux-infra_services","v8.18.0","v9.1.0","v8.19.0","v8.17.5","v8.16.7"],"title":"Disable `allowAbsoluteUrls` for axios","number":215138,"url":"https://github.com/elastic/kibana/pull/215138","mergeCommit":{"message":"Disable `allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter #214843, `axios` client\nusages need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers: if you think it's a mistake, and you created a client to\nrequest for absolute URLs, consider unsetting the `baseURL` to\ncommunicate intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/215830","number":215830,"state":"MERGED","mergeCommit":{"sha":"d6b244241a1b668c5ecbd0441f81c995bc51f0f0","message":"[9.0] Disable `allowAbsoluteUrls` for axios (#215138) (#215830)\n\n# Backport\n\nThis will backport the following commits from `main` to `9.0`:\n- [Disable `allowAbsoluteUrls` for axios\n(#215138)](https://github.com/elastic/kibana/pull/215138)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Alex Szabo <alex.szabo@elastic.co>"}},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/215828","number":215828,"state":"MERGED","mergeCommit":{"sha":"691dde541a49fe9e936180c6152fc6501fd11412","message":"[8.18] Disable `allowAbsoluteUrls` for axios (#215138) (#215828)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.18`:\n- [Disable `allowAbsoluteUrls` for axios\n(#215138)](https://github.com/elastic/kibana/pull/215138)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\n---------\n\nCo-authored-by: Alex Szabo <alex.szabo@elastic.co>"}},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215138","number":215138,"mergeCommit":{"message":"Disable `allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter #214843, `axios` client\nusages need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers: if you think it's a mistake, and you created a client to\nrequest for absolute URLs, consider unsetting the `baseURL` to\ncommunicate intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/215829","number":215829,"state":"MERGED","mergeCommit":{"sha":"5a40684e0ae3f52b2d2c578f21a033bcf684486a","message":"[8.x] Disable `allowAbsoluteUrls` for axios (#215138) (#215829)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.x`:\n- [Disable `allowAbsoluteUrls` for axios\n(#215138)](https://github.com/elastic/kibana/pull/215138)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\n---------\n\nCo-authored-by: Alex Szabo <alex.szabo@elastic.co>"}},{"branch":"8.17","label":"v8.17.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/215827","number":215827,"state":"MERGED","mergeCommit":{"sha":"2e9347ab43dec483fd44689c3bf8cd8fe32ece2b","message":"[8.17] Disable `allowAbsoluteUrls` for axios (#215138) (#215827)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.17`:\n- [Disable `allowAbsoluteUrls` for axios\n(#215138)](https://github.com/elastic/kibana/pull/215138)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\n---------\n\nCo-authored-by: Alex Szabo <alex.szabo@elastic.co>"}},{"branch":"8.16","label":"v8.16.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/215826","number":215826,"state":"MERGED","mergeCommit":{"sha":"a8b89ce376d4e68dd1a2268bb04d09db3b4b53a0","message":"[8.16] Disable `allowAbsoluteUrls` for axios (#215138) (#215826)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.16`:\n- [Disable `allowAbsoluteUrls` for axios\n(#215138)](https://github.com/elastic/kibana/pull/215138)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\n---------\n\nCo-authored-by: Alex Szabo <alex.szabo@elastic.co>"}}]}] BACKPORT-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.17:allowAbsoluteUrlsfor axios (#215138)Questions ?
Please refer to the Backport tool documentation