angular/packages/platform-server/src
Alan Agius e0b5078cf2 fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs
The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL.

This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`:

```typescript
// Example usage in an Express server handling: http://localhost:4000//evil.com
app.get('*', async (req, res) => {
  const html = await renderApplication(bootstrap, {
    document: template,
    url: req.url, // req.url is "//evil.com"
  });
  res.send(html);
});
```

(cherry picked from commit ede7c58a2a)
2026-04-15 10:23:57 -04:00
..
domino_adapter.ts build: consolidate domino bundling in platform-server 2026-03-25 13:31:10 -07:00
http.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
location.ts fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs 2026-04-15 10:23:57 -04:00
platform-server.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
platform_state.ts refactor(platform-server): Add an ssr benchmark setup. (#57647) 2024-10-04 10:45:22 -07:00
private_export.ts build: move private testing helpers outside platform-browser/testing (#61472) 2025-05-20 10:00:43 +00:00
provide_server.ts fix(platform-server): decouple server from animations module (#59762) 2025-01-29 10:52:18 -08:00
server.ts refactor(core): remove unnecessary deps arrays (#63823) 2025-09-16 16:51:52 +00:00
server_events.ts feat(core): add event listener options to renderer (#59092) 2024-12-10 13:39:47 -08:00
tokens.ts refactor(platform-server): Add an ssr benchmark setup. (#57647) 2024-10-04 10:45:22 -07:00
transfer_state.ts refactor(platform-server): remove redundant providedIn: 'root' from injection tokens 2025-11-04 00:31:52 +00:00
types.d.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
utils.ts feat(core): introduce BootstrapContext for improved server bootstrapping (#63562) 2025-09-09 10:57:09 -07:00
version.ts refactor(core): mark VERSION as @__PURE__ for better tree-shaking 2025-11-10 12:04:04 -08:00