Elgato_dark/angular
1
0
Fork 0
mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
angular/packages
History
Alan Agius ede7c58a2a fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs 
The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL.

This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`:

```typescript
// Example usage in an Express server handling: http://localhost:4000//evil.com
app.get('*', async (req, res) => {
  const html = await renderApplication(bootstrap, {
    document: template,
    url: req.url, // req.url is "//evil.com"
  });
  res.send(html);
});
```
2026-04-15 10:23:52 -04:00
..
animations test: remove duplicate tests (#67518) 2026-03-11 13:37:33 -07:00
benchpress build: update cross-repo angular dependencies 2026-03-05 11:43:25 -08:00
common fix(http): add CSP nonce support to JsonpClientBackend 2026-04-13 16:01:11 +03:00
compiler fix(compiler): don't escape dollar sign in literal expression 2026-04-10 09:23:50 +03:00
compiler-cli refactor(compiler-cli): decouple SymbolReference from AST nodes in template checker 2026-04-14 12:32:48 +03:00
core feat(core): implement Angular DI graph in-page AI tool 2026-04-14 18:35:51 +03:00
docs/di build: format md files 2025-11-06 10:03:05 -08:00
elements refactor(core): remove ComponentFactoryResolver usages 2026-04-13 16:00:03 +03:00
examples feat(core): bootstrap via ApplicationRef with config 2026-04-07 12:48:53 -07:00
forms feat(forms): shim legacy NG_VALIDATORS into parseErrors for CVA mode (#67943) 2026-04-14 18:32:24 +03:00
language-service refactor: remove all deep imports in language service 2026-04-13 11:16:26 +03:00
localize fix(localize): validate locale in getOutputPathFn to prevent path traversal 2026-03-30 12:15:26 +02:00
misc/angular-in-memory-web-api fix(http): Don't on Passthru outside of reactive context 2026-04-15 10:20:48 -04:00
platform-browser refactor(core): deprecate withIncrementalHydration 2026-04-13 18:53:21 +03:00
platform-browser-dynamic build: update minimum supported Node.js versions 2026-02-25 07:57:18 -08:00
platform-server fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs 2026-04-15 10:23:52 -04:00
private/testing build: consolidate domino bundling in platform-server 2026-03-25 13:31:05 -07:00
router fix(router): normalize multiple leading slashes in URL parser 2026-04-14 12:34:03 +03:00
service-worker fix(service-worker): resolve TS 6.0 compatibility for messageerror listener 2026-04-09 21:46:28 +03:00
ssr/docs build: add node type for api extraction 2026-02-11 13:57:58 -08:00
upgrade refactor(core): remove ComponentFactoryResolver usages 2026-04-13 16:00:03 +03:00
zone.js build: update cross-repo angular dependencies 2026-03-25 13:32:59 -07:00
BUILD.bazel refactor(platform-browser): remove Hammer integration 2026-03-19 16:13:20 -07:00
circular-deps-test.conf.cjs build: use Node.js built-in TypeScript support for dev-infra scripts 2026-01-02 08:15:40 +01:00
empty.ts
goog.d.ts
license-banner.txt docs: update copyright year 2026-01-07 12:28:34 -05:00
package.json build: prepare for compiler-cli to be using ts_project (#61181) 2025-05-09 15:59:46 +00:00
README.md build: format md files 2025-11-06 10:03:05 -08:00
system.d.ts refactor: update packages/core:{core,src} to ts_project (#61275) 2025-05-14 12:01:51 +00:00
tsconfig-build.json Revert "refactor(compiler-cli): remove deep imports from compiler-cli (#64732)" 2025-11-06 13:09:01 -08:00
tsconfig-legacy-saucelabs.json
tsconfig-test.json
tsconfig.json feat(compiler-cli): enable type checking of host bindings by default (#63654) 2025-09-09 14:34:29 -07:00
tsec-exemption.json
types.d.ts refactor(platform-browser): remove Hammer integration 2026-03-19 16:13:20 -07:00

README.md

Angular

The sources for this package are in the main Angular repo. Please file issues and pull requests against that repo.

Usage information and reference details can be found in Angular documentation.

License: MIT