mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL.
This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`:
```typescript
// Example usage in an Express server handling: http://localhost:4000//evil.com
app.get('*', async (req, res) => {
const html = await renderApplication(bootstrap, {
document: template,
url: req.url, // req.url is "//evil.com"
});
res.send(html);
});
```
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| init | ||
| src | ||
| test | ||
| testing | ||
| third_party/domino | ||
| BUILD.bazel | ||
| index.ts | ||
| package.json | ||
| PACKAGE.md | ||
| public_api.ts | ||