From 0d6c7b3f490bdc15ccdc40b08bb2eb3a139090f2 Mon Sep 17 00:00:00 2001
From: Ievgen Bondarenko <sactransport2000@gmail.com>
Date: Mon, 18 May 2026 00:27:45 -0700
Subject: [PATCH] fix(internal): restrict isAbsoluteURL scheme regex to http(s)

The SDK typed resource methods use hardcoded relative paths, so the only
schemes isAbsoluteURL needs to recognize as absolute are http and https.
The previous regex matched any RFC 3986 scheme (file:, gopher:, ftp:, data:,
javascript:), which could bypass baseURL when an absolute-URL path is passed
to client.get / client.post.
---
 src/internal/utils/values.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/internal/utils/values.ts b/src/internal/utils/values.ts
index 284ff5cdef..04d4723539 100644
--- a/src/internal/utils/values.ts
+++ b/src/internal/utils/values.ts
@@ -3,7 +3,13 @@
 import { OpenAIError } from '../../core/error';
 
 // https://url.spec.whatwg.org/#url-scheme-string
-const startsWithSchemeRegexp = /^[a-z][a-z0-9+.-]*:/i;
+//
+// Restricted to http(s) to avoid bypassing baseURL through dangerous schemes
+// (file:, gopher:, ftp:, data:, javascript:) when an absolute-URL path is
+// passed to client.get / client.post. The SDK's typed resource methods use
+// hardcoded relative paths, so this narrows the regex to the only schemes
+// the SDK is meant to construct outbound requests against.
+const startsWithSchemeRegexp = /^https?:/i;
 
 export const isAbsoluteURL = (url: string): boolean => {
   return startsWithSchemeRegexp.test(url);