Merge pull request #413 from contentstack/revert/change

harshithad0703 · web-flow · commit 1248ec8f805e · 2025-08-01T19:51:59.000+05:30
Change revert
diff --git a/lib/core/Util.js b/lib/core/Util.js
@@ -140,10 +140,7 @@ const isValidURL = (url) => {
   } catch (error) {
     // If URL parsing fails, it might be a relative URL without protocol
     // Allow it if it doesn't contain protocol indicators or suspicious patterns
-    if (error instanceof TypeError) {
-      return !url.includes('://') && !url.includes('\\') && !url.includes('@')
-    }
-    return false
+    return !url.includes('://') && !url.includes('\\') && !url.includes('@')
   }
 }
 
@@ -152,7 +149,6 @@ const isAllowedHost = (hostname) => {
   const allowedDomains = [
     'api.contentstack.io',
     'eu-api.contentstack.com',
-    'au-api.contentstack.com',
     'azure-na-api.contentstack.com',
     'azure-eu-api.contentstack.com',
     'gcp-na-api.contentstack.com',
@@ -181,53 +177,14 @@ const isAllowedHost = (hostname) => {
   })
 }
 
-// Helper function to validate individual URL properties
-const validateURLProperty = (config, prop) => {
-  if (config[prop] && !isValidURL(config[prop])) {
-    throw new Error(`SSRF Prevention: ${prop} "${config[prop]}" is not allowed`)
-  }
-}
-
-// Helper function to validate combined URL (baseURL + url)
-const validateCombinedURL = (baseURL, url) => {
-  try {
-    let fullURL
-    // Handle relative URLs with baseURL
-    if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
-      fullURL = new URL(url, baseURL).href
-    } else {
-      // If url is absolute, it overrides baseURL
-      fullURL = url
-    }
-
-    if (!isValidURL(fullURL)) {
-      throw new Error(`SSRF Prevention: Combined URL "${fullURL}" is not allowed`)
-    }
-  } catch (error) {
-    if (error.message.startsWith('SSRF Prevention:')) {
-      throw error
-    }
-    throw new Error(`SSRF Prevention: Invalid URL combination of baseURL "${baseURL}" and url "${url}"`)
-  }
-}
-
 export const validateAndSanitizeConfig = (config) => {
-  if (!config) {
-    throw new Error('Invalid request configuration: missing config')
-  }
-
-  // Validate all possible URL properties in axios config to prevent SSRF attacks
-  const urlProperties = ['url', 'baseURL']
-  urlProperties.forEach(prop => validateURLProperty(config, prop))
-
-  // If we have both baseURL and url, validate the combined URL
-  if (config.baseURL && config.url) {
-    validateCombinedURL(config.baseURL, config.url)
+  if (!config || !config.url) {
+    throw new Error('Invalid request configuration: missing URL')
   }
 
-  // Ensure we have at least one URL property
-  if (!config.url && !config.baseURL) {
-    throw new Error('Invalid request configuration: missing URL or baseURL')
+  // Validate the URL to prevent SSRF attacks
+  if (!isValidURL(config.url)) {
+    throw new Error(`SSRF Prevention: URL "${config.url}" is not allowed`)
   }
 
   return config
