Elgato_dark/angular
1
0
Fork 0
mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
angular/integration/platform-server/projects/ngmodule
History
Alan Agius 629905d537 fix(platform-server): add allowedHosts option to renderModule and renderApplication 
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).

During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.

Closes #68436

(cherry picked from commit 60552a73e8)
2026-05-07 15:30:07 -07:00
..
src ci: reformat files 2025-12-16 14:44:19 -08:00
prerender.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
server.ts fix(platform-server): add allowedHosts option to renderModule and renderApplication 2026-05-07 15:30:07 -07:00
tsconfig.app.json build: remove yarn from integration tests, switch to pnpm (#63902) 2025-09-18 14:39:51 +00:00
tsconfig.spec.json docs: update link to the TS config. (#50933) 2023-07-05 13:58:35 +02:00