mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
60552a73e8
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs. To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all). During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses. Closes #68436
97 lines
2.9 KiB
TypeScript
97 lines
2.9 KiB
TypeScript
/**
|
|
* @license
|
|
* Copyright Google LLC All Rights Reserved.
|
|
*
|
|
* Use of this source code is governed by an MIT-style license that can be
|
|
* found in the LICENSE file at https://angular.dev/license
|
|
*/
|
|
|
|
import {destroyPlatform} from '@angular/core';
|
|
import {renderApplication, renderModule} from '@angular/platform-server';
|
|
import {isHostAllowed} from '../src/utils';
|
|
|
|
describe('isHostAllowed', () => {
|
|
it('allows matching hostname when in allowedHosts list', () => {
|
|
expect(isHostAllowed('test.com', new Set(['test.com', 'example.com']))).toBeTrue();
|
|
});
|
|
|
|
it('allows matching hostname when wildcard matches', () => {
|
|
expect(isHostAllowed('sub.example.com', new Set(['test.com', '*.example.com']))).toBeTrue();
|
|
});
|
|
|
|
it('rejects hostname when not in allowedHosts list', () => {
|
|
expect(isHostAllowed('evil.com', new Set(['test.com', '*.example.com']))).toBeFalse();
|
|
});
|
|
|
|
it('allows all hostnames when * is in allowedHosts list', () => {
|
|
expect(isHostAllowed('anydomain.com', new Set(['*']))).toBeTrue();
|
|
});
|
|
});
|
|
|
|
describe('allowedHosts validation in renderApplication', () => {
|
|
const bootstrap = (async () => {}) as any;
|
|
|
|
beforeEach(() => {
|
|
destroyPlatform();
|
|
});
|
|
|
|
afterEach(() => {
|
|
destroyPlatform();
|
|
});
|
|
|
|
it('should throw an error on bootstrap if host is not allowed', async () => {
|
|
await expectAsync(
|
|
renderApplication(bootstrap, {
|
|
document: '<app></app>',
|
|
url: 'http://evil.com/deep/path',
|
|
allowedHosts: ['test.com', '*.example.com'],
|
|
}),
|
|
).toBeRejectedWithError(/Host http:\/\/evil.com\/deep\/path is not allowed/);
|
|
});
|
|
|
|
it('should not throw a host validation error on bootstrap if host is allowed', async () => {
|
|
try {
|
|
await renderApplication(bootstrap, {
|
|
document: '<app></app>',
|
|
url: 'http://test.com/deep/path',
|
|
allowedHosts: ['test.com', '*.example.com'],
|
|
});
|
|
} catch (error: any) {
|
|
expect(error.message).not.toContain('is not allowed');
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('allowedHosts validation in renderModule', () => {
|
|
class MockModule {}
|
|
|
|
beforeEach(() => {
|
|
destroyPlatform();
|
|
});
|
|
|
|
afterEach(() => {
|
|
destroyPlatform();
|
|
});
|
|
|
|
it('should throw an error if host is not allowed', async () => {
|
|
await expectAsync(
|
|
renderModule(MockModule, {
|
|
document: '<app></app>',
|
|
url: 'http://evil.com/deep/path',
|
|
allowedHosts: ['test.com', '*.example.com'],
|
|
}),
|
|
).toBeRejectedWithError(/Host http:\/\/evil.com\/deep\/path is not allowed/);
|
|
});
|
|
|
|
it('should not throw a host validation error if host is allowed', async () => {
|
|
try {
|
|
await renderModule(MockModule, {
|
|
document: '<app></app>',
|
|
url: 'http://test.com/deep/path',
|
|
allowedHosts: ['test.com', '*.example.com'],
|
|
});
|
|
} catch (error: any) {
|
|
expect(error.message).not.toContain('is not allowed');
|
|
}
|
|
});
|
|
});
|