angular/packages/platform-server/test
Alan Agius e0b5078cf2 fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs
The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL.

This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`:

```typescript
// Example usage in an Express server handling: http://localhost:4000//evil.com
app.get('*', async (req, res) => {
  const html = await renderApplication(bootstrap, {
    document: template,
    url: req.url, // req.url is "//evil.com"
  });
  res.send(html);
});
```

(cherry picked from commit ede7c58a2a)
2026-04-15 10:23:57 -04:00
..
BUILD.bazel build: consolidate domino bundling in platform-server 2026-03-25 13:31:10 -07:00
dom_utils.ts fix(core): Ensure application remains unstable during bootstrap (#62631) 2025-07-15 07:52:36 -07:00
event_replay_spec.ts test(platform-server): replace fixed timeout with polling in event replay test 2026-04-03 13:50:09 -07:00
full_app_hydration_spec.ts refactor(platform-server): split zone/zoneless tests. 2026-02-13 09:41:10 -08:00
hydration_utils.ts feat(core): introduce BootstrapContext for improved server bootstrapping (#63562) 2025-09-09 10:57:09 -07:00
incremental_hydration_spec.ts test(platform-server): fix race condition in incremental hydration test 2026-04-03 23:47:00 +00:00
integration_spec.ts refactor(platform-server): split zone/zoneless tests. 2026-02-13 09:41:10 -08:00
platform_location_spec.ts fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs 2026-04-15 10:23:57 -04:00
render_spec.ts refactor: clean up explicit standalone flags from tests (#63963) 2025-09-22 14:27:34 +00:00
transfer_state_spec.ts fix(core): escape forward slashes in transfer state to prevent crawler indexing 2026-04-13 13:55:00 +03:00