mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
8569db8875
Some checks failed
DevInfra / assistant_to_the_branch_manager (push) Has been cancelled
CI (push) / lint (push) Has been cancelled
CI (push) / devtools (push) Has been cancelled
CI (push) / test (push) Has been cancelled
CI (push) / integration-tests (push) Has been cancelled
CI (push) / adev (push) Has been cancelled
CI (push) / publish-snapshots (push) Has been cancelled
CI (push) / zone-js (push) Has been cancelled
Update ADEV Angular CDK APIs and CLI Help / Update Angular CDK APIs and CLI Help (if necessary) (push) Has been cancelled
CI (push) / adev-deploy (push) Has been cancelled
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs. To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all). During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses. Closes #68436 |
||
|---|---|---|
| .. | ||
| ngmodule | ||
| standalone | ||