mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
e0b5078cf2
The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL.
This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`:
```typescript
// Example usage in an Express server handling: http://localhost:4000//evil.com
app.get('*', async (req, res) => {
const html = await renderApplication(bootstrap, {
document: template,
url: req.url, // req.url is "//evil.com"
});
res.send(html);
});
```
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| domino_adapter.ts | ||
| http.ts | ||
| location.ts | ||
| platform-server.ts | ||
| platform_state.ts | ||
| private_export.ts | ||
| provide_server.ts | ||
| server.ts | ||
| server_events.ts | ||
| tokens.ts | ||
| transfer_state.ts | ||
| types.d.ts | ||
| utils.ts | ||
| version.ts | ||