angular

Elgato_dark/angular

Fork 0

mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Alan Agius	e0b5078cf2	fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL. This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`: ```typescript // Example usage in an Express server handling: http://localhost:4000//evil.com app.get('*', async (req, res) => { const html = await renderApplication(bootstrap, { document: template, url: req.url, // req.url is "//evil.com" }); res.send(html); }); ``` (cherry picked from commit `ede7c58a2a`)	2026-04-15 10:23:57 -04:00
Alan Agius	062a696673	refactor(platform-server): use URL constructor for robust parsing (#64494 ) The existing implementation of `PlatformLocation` uses a custom URL parsing mechanism that can be brittle and doesn't properly update the `href` property. This change refactors the URL parsing to use the native `URL` constructor, providing more robust and accurate parsing of URLs, which also correctly updates the `href` property. The tests for `PlatformLocation` have also been moved to a dedicated file to improve organization and clarity. PR Close #64494	2025-10-17 18:17:15 +00:00

Alan Agius

e0b5078cf2

fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs

The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL.

This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`:

```typescript
// Example usage in an Express server handling: http://localhost:4000//evil.com
app.get('*', async (req, res) => {
  const html = await renderApplication(bootstrap, {
    document: template,
    url: req.url, // req.url is "//evil.com"
  });
  res.send(html);
});
```

(cherry picked from commit ede7c58a2a)

2026-04-15 10:23:57 -04:00

Alan Agius

062a696673

refactor(platform-server): use URL constructor for robust parsing (#64494 )

The existing implementation of `PlatformLocation` uses a custom URL parsing mechanism that can be brittle and doesn't properly update the `href` property. This change refactors the URL parsing to use the native `URL` constructor, providing more robust and accurate parsing of URLs, which also correctly updates the `href` property.

The tests for `PlatformLocation` have also been moved to a dedicated file to improve organization and clarity.

PR Close #64494

2025-10-17 18:17:15 +00:00

2 commits