From 6024d24b90b3160d4a8a98c0014c8ba6eb26482f Mon Sep 17 00:00:00 2001
From: Alex Szabo <alex.szabo@elastic.co>
Date: Tue, 25 Mar 2025 09:52:36 +0100
Subject: [PATCH] Disable `allowAbsoluteUrls` for axios (#215138)

## Summary
After https://github.com/elastic/kibana/pull/214843, `axios` client
usages need to set a flag to prevent the vulnerable behavior.

To reviewers: if you think it's a mistake, and you created a client to
request for absolute URLs, consider unsetting the `baseURL` to
communicate intent.

(cherry picked from commit e40b17aa22ec1a2fbc56ae8651e12f658099ec14)
---
 packages/kbn-ci-stats-performance-metrics/src/apm_client.ts     | 1 +
 .../failed_tests_reporter/existing_failed_test_issues.test.ts   | 2 ++
 .../failed_tests_reporter/existing_failed_test_issues.ts        | 1 +
 src/dev/prs/github_api.ts                                       | 1 +
 .../private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts      | 1 +
 .../plugins/shared/actions/server/lib/axios_utils.test.ts       | 1 +
 .../create_dataset_quality_users/helpers/call_kibana.ts         | 1 +
 .../apm/scripts/diagnostics_bundle/diagnostics_bundle.ts        | 1 +
 .../server/test_helpers/create_apm_users/helpers/call_kibana.ts | 1 +
 .../helpers/call_kibana.ts                                      | 1 +
 x-pack/test/common/services/spaces.ts                           | 1 +
 .../common/create_profiling_users/helpers/call_kibana.ts        | 1 +
 x-pack/test/ui_capabilities/common/services/features.ts         | 1 +
 x-pack/test/ui_capabilities/common/services/ui_capabilities.ts  | 1 +
 14 files changed, 15 insertions(+)

diff --git a/packages/kbn-ci-stats-performance-metrics/src/apm_client.ts b/packages/kbn-ci-stats-performance-metrics/src/apm_client.ts
index 364682608d3f1..8a0cfd6741403 100644
--- a/packages/kbn-ci-stats-performance-metrics/src/apm_client.ts
+++ b/packages/kbn-ci-stats-performance-metrics/src/apm_client.ts
@@ -54,6 +54,7 @@ export class ApmClient {
       auth,
       baseURL,
       timeout,
+      allowAbsoluteUrls: false,
     });
 
     this.logger = logger || console;
diff --git a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.test.ts b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.test.ts
index 8d814bb7f3497..6ce4216ea9f9a 100644
--- a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.test.ts
+++ b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.test.ts
@@ -102,6 +102,7 @@ it('captures a list of failed test issue, loads the bodies for each issue, and o
       "calls": Array [
         Array [
           Object {
+            "allowAbsoluteUrls": false,
             "baseURL": "https://ci-stats.kibana.dev",
             "data": Object {
               "failures": Array [
@@ -117,6 +118,7 @@ it('captures a list of failed test issue, loads the bodies for each issue, and o
         ],
         Array [
           Object {
+            "allowAbsoluteUrls": false,
             "baseURL": "https://ci-stats.kibana.dev",
             "data": Object {
               "failures": Array [
diff --git a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.ts b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.ts
index 37525419b0ab2..c52a87d156630 100644
--- a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.ts
+++ b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/existing_failed_test_issues.ts
@@ -119,6 +119,7 @@ export class ExistingFailedTestIssues {
         const resp = await Axios.request<FindFailedTestIssuesResponse>({
           method: 'POST',
           baseURL: BASE_URL,
+          allowAbsoluteUrls: false,
           url: '/v1/find_failed_test_issues',
           data: {
             failures: failures.map((f) => ({
diff --git a/src/dev/prs/github_api.ts b/src/dev/prs/github_api.ts
index bba7a2674fc37..bbb31c84cf8d7 100644
--- a/src/dev/prs/github_api.ts
+++ b/src/dev/prs/github_api.ts
@@ -29,6 +29,7 @@ export class GithubApi {
   constructor(private accessToken?: string) {
     this.api = axios.create({
       baseURL: 'https://api.github.com/',
+      allowAbsoluteUrls: false,
       headers: {
         Accept: 'application/vnd.github.v3+json',
         'User-Agent': 'kibana/update_prs_cli',
diff --git a/src/platform/packages/private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts b/src/platform/packages/private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts
index 696f5a10f4819..0c51022ba22e8 100644
--- a/src/platform/packages/private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts
+++ b/src/platform/packages/private/kbn-ci-stats-reporter/src/ci_stats_reporter.ts
@@ -372,6 +372,7 @@ export class CiStatsReporter {
           method: 'POST',
           url: path,
           baseURL: BASE_URL,
+          allowAbsoluteUrls: false,
           headers,
           data: body,
           params: query,
diff --git a/x-pack/platform/plugins/shared/actions/server/lib/axios_utils.test.ts b/x-pack/platform/plugins/shared/actions/server/lib/axios_utils.test.ts
index b7bb7548b9052..a0fc33f0a404b 100644
--- a/x-pack/platform/plugins/shared/actions/server/lib/axios_utils.test.ts
+++ b/x-pack/platform/plugins/shared/actions/server/lib/axios_utils.test.ts
@@ -404,6 +404,7 @@ describe('request', () => {
           defaults: {
             ...axios.defaults,
             baseURL: 'https://here-we-go.com',
+            allowAbsoluteUrls: false,
           },
         } as unknown as AxiosInstance,
         url: '/test',
diff --git a/x-pack/platform/plugins/shared/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts b/x-pack/platform/plugins/shared/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
index 5f36a8a4204f2..8ccd20c787432 100644
--- a/x-pack/platform/plugins/shared/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
+++ b/x-pack/platform/plugins/shared/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
@@ -23,6 +23,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
   });
diff --git a/x-pack/solutions/observability/plugins/apm/scripts/diagnostics_bundle/diagnostics_bundle.ts b/x-pack/solutions/observability/plugins/apm/scripts/diagnostics_bundle/diagnostics_bundle.ts
index 10d55aa2000e1..0ca868b1e7b09 100644
--- a/x-pack/solutions/observability/plugins/apm/scripts/diagnostics_bundle/diagnostics_bundle.ts
+++ b/x-pack/solutions/observability/plugins/apm/scripts/diagnostics_bundle/diagnostics_bundle.ts
@@ -51,6 +51,7 @@ export async function initDiagnosticsBundle({
 
   const kibanaClientOpts = {
     baseURL: kbHost ?? parsedCloudId.kibanaHost,
+    allowAbsoluteUrls: false,
     auth,
     headers: {
       'kbn-xsrf': 'true',
diff --git a/x-pack/solutions/observability/plugins/apm/server/test_helpers/create_apm_users/helpers/call_kibana.ts b/x-pack/solutions/observability/plugins/apm/server/test_helpers/create_apm_users/helpers/call_kibana.ts
index 637177ca89de5..f5ee33addd5b7 100644
--- a/x-pack/solutions/observability/plugins/apm/server/test_helpers/create_apm_users/helpers/call_kibana.ts
+++ b/x-pack/solutions/observability/plugins/apm/server/test_helpers/create_apm_users/helpers/call_kibana.ts
@@ -27,6 +27,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { ...DEFAULT_HEADERS, ...options.headers },
   });
diff --git a/x-pack/solutions/observability/plugins/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts b/x-pack/solutions/observability/plugins/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
index 5f36a8a4204f2..8ccd20c787432 100644
--- a/x-pack/solutions/observability/plugins/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
+++ b/x-pack/solutions/observability/plugins/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
@@ -23,6 +23,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
   });
diff --git a/x-pack/test/common/services/spaces.ts b/x-pack/test/common/services/spaces.ts
index 67da912fb6a54..298f2626048ac 100644
--- a/x-pack/test/common/services/spaces.ts
+++ b/x-pack/test/common/services/spaces.ts
@@ -48,6 +48,7 @@ export function SpacesServiceProvider({ getService }: FtrProviderContext) {
       'kbn-xsrf': 'x-pack/ftr/services/spaces/space',
     },
     baseURL: url,
+    allowAbsoluteUrls: false,
     maxRedirects: 0,
     validateStatus: () => true, // we do our own validation below and throw better error messages
     httpsAgent,
diff --git a/x-pack/test/profiling_api_integration/common/create_profiling_users/helpers/call_kibana.ts b/x-pack/test/profiling_api_integration/common/create_profiling_users/helpers/call_kibana.ts
index 879b02f8a93c5..738ec09d2f858 100644
--- a/x-pack/test/profiling_api_integration/common/create_profiling_users/helpers/call_kibana.ts
+++ b/x-pack/test/profiling_api_integration/common/create_profiling_users/helpers/call_kibana.ts
@@ -23,6 +23,7 @@ export async function callKibana<T>({
   const { data } = await axios.request({
     ...options,
     baseURL: baseUrl,
+    allowAbsoluteUrls: false,
     auth: { username, password },
     headers: { 'kbn-xsrf': 'true', ...options.headers },
   });
diff --git a/x-pack/test/ui_capabilities/common/services/features.ts b/x-pack/test/ui_capabilities/common/services/features.ts
index e1c79059e6ecb..370d140ab4b79 100644
--- a/x-pack/test/ui_capabilities/common/services/features.ts
+++ b/x-pack/test/ui_capabilities/common/services/features.ts
@@ -19,6 +19,7 @@ export class FeaturesService {
     this.axios = axios.create({
       headers: { 'kbn-xsrf': 'x-pack/ftr/services/features' },
       baseURL: url,
+      allowAbsoluteUrls: false,
       maxRedirects: 0,
       validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors
     });
diff --git a/x-pack/test/ui_capabilities/common/services/ui_capabilities.ts b/x-pack/test/ui_capabilities/common/services/ui_capabilities.ts
index 4367b53d1f0f2..ce4b417c337eb 100644
--- a/x-pack/test/ui_capabilities/common/services/ui_capabilities.ts
+++ b/x-pack/test/ui_capabilities/common/services/ui_capabilities.ts
@@ -39,6 +39,7 @@ export class UICapabilitiesService {
     this.axios = axios.create({
       headers: { 'kbn-xsrf': 'x-pack/ftr/services/ui_capabilities' },
       baseURL: url,
+      allowAbsoluteUrls: false,
       maxRedirects: 0,
       validateStatus: () => true, // we'll handle our own statusCodes and throw informative errors
     });