feat: add protocol validation to withBase to prevent SSRF by stark-afk · Pull Request #565 · unjs/ofetch · GitHub
Skip to content

feat: add protocol validation to withBase to prevent SSRF#565

Open
stark-afk wants to merge 1 commit into
unjs:mainfrom
stark-afk:fix/ssrf-baseurl-validation
Open

feat: add protocol validation to withBase to prevent SSRF#565
stark-afk wants to merge 1 commit into
unjs:mainfrom
stark-afk:fix/ssrf-baseurl-validation

Conversation

@stark-afk

@stark-afk stark-afk commented Apr 5, 2026

Copy link
Copy Markdown

Description

This PR adds a security guardrail to the withBase utility. It ensures that if a baseURL is provided, it must use an explicit http:// or https:// protocol.

This prevents potential Server-Side Request Forgery (SSRF) or protocol injection attacks in cases where the baseURL might be derived from untrusted configuration or user input.

Key Changes

  • Validates that baseURL starts with http:// or https://.
  • Throws a descriptive error if an invalid protocol (like file://) or no protocol is used.

Related Issues

Resolves #564

Checklist

  • I have read the contribution guidelines.
  • I have added tests to cover these changes.
  • All tests passed locally.

Summary by CodeRabbit

  • Bug Fixes
    • Fixed URL handling to properly validate base prefix boundaries. The system now correctly checks that matched base prefixes are followed by path boundaries (/, ?, #) or string end, preventing incorrect interpretation of partial-prefix matches.

@coderabbitai

coderabbitai Bot commented Apr 5, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SSRF via Unconstrained baseURL + Open Redirect

1 participant