mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
60552a73e8
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs. To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all). During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses. Closes #68436
18 lines
685 B
TypeScript
18 lines
685 B
TypeScript
/**
|
|
* @license
|
|
* Copyright Google LLC All Rights Reserved.
|
|
*
|
|
* Use of this source code is governed by an MIT-style license that can be
|
|
* found in the LICENSE file at https://angular.dev/license
|
|
*/
|
|
|
|
export {
|
|
INTERNAL_SERVER_PLATFORM_PROVIDERS as ɵINTERNAL_SERVER_PLATFORM_PROVIDERS,
|
|
SERVER_RENDER_PROVIDERS as ɵSERVER_RENDER_PROVIDERS,
|
|
} from './server';
|
|
export {SERVER_CONTEXT as ɵSERVER_CONTEXT, renderInternal as ɵrenderInternal} from './utils';
|
|
export {ENABLE_DOM_EMULATION as ɵENABLE_DOM_EMULATION} from './tokens';
|
|
export {DominoAdapter as ɵDominoAdapter} from './domino_adapter';
|
|
|
|
// Use in @angular/ssr.
|
|
export {isHostAllowed as ɵisHostAllowed} from './utils';
|