Merge pull request #411 from contentstack/fix/dev

snyk issue fix

Author: cs-raj

lib/core/Util.js

@@ -140,7 +140,10 @@ const isValidURL = (url) => {
   } catch (error) {
     // If URL parsing fails, it might be a relative URL without protocol
     // Allow it if it doesn't contain protocol indicators or suspicious patterns
-    return !url.includes('://') && !url.includes('\\') && !url.includes('@')
+    if (error instanceof TypeError) {
+      return !url.includes('://') && !url.includes('\\') && !url.includes('@')
+    }
+    return false
   }
 }
 
@@ -149,6 +152,7 @@ const isAllowedHost = (hostname) => {
   const allowedDomains = [
     'api.contentstack.io',
     'eu-api.contentstack.com',
+    'au-api.contentstack.com',
     'azure-na-api.contentstack.com',
     'azure-eu-api.contentstack.com',
     'gcp-na-api.contentstack.com',
@@ -177,14 +181,53 @@ const isAllowedHost = (hostname) => {
   })
 }
 
+// Helper function to validate individual URL properties
+const validateURLProperty = (config, prop) => {
+  if (config[prop] && !isValidURL(config[prop])) {
+    throw new Error(`SSRF Prevention: ${prop} "${config[prop]}" is not allowed`)
+  }
+}
+
+// Helper function to validate combined URL (baseURL + url)
+const validateCombinedURL = (baseURL, url) => {
+  try {
+    let fullURL
+    // Handle relative URLs with baseURL
+    if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
+      fullURL = new URL(url, baseURL).href
+    } else {
+      // If url is absolute, it overrides baseURL
+      fullURL = url
+    }
+
+    if (!isValidURL(fullURL)) {
+      throw new Error(`SSRF Prevention: Combined URL "${fullURL}" is not allowed`)
+    }
+  } catch (error) {
+    if (error.message.startsWith('SSRF Prevention:')) {
+      throw error
+    }
+    throw new Error(`SSRF Prevention: Invalid URL combination of baseURL "${baseURL}" and url "${url}"`)
+  }
+}
+
 export const validateAndSanitizeConfig = (config) => {
-  if (!config || !config.url) {
-    throw new Error('Invalid request configuration: missing URL')
+  if (!config) {
+    throw new Error('Invalid request configuration: missing config')
+  }
+
+  // Validate all possible URL properties in axios config to prevent SSRF attacks
+  const urlProperties = ['url', 'baseURL']
+  urlProperties.forEach(prop => validateURLProperty(config, prop))
+
+  // If we have both baseURL and url, validate the combined URL
+  if (config.baseURL && config.url) {
+    validateCombinedURL(config.baseURL, config.url)
   }
 
-  // Validate the URL to prevent SSRF attacks
-  if (!isValidURL(config.url)) {
-    throw new Error(`SSRF Prevention: URL "${config.url}" is not allowed`)
+  // Ensure we have at least one URL property
+  if (!config.url && !config.baseURL) {
+    throw new Error('Invalid request configuration: missing URL or baseURL')
   }
 
   return config