Elgato_dark/angular
1
0
Fork 0
mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
angular/integration/platform-server/projects/ngmodule/server.ts
Alan Agius 60552a73e8 fix(platform-server): add allowedHosts option to renderModule and renderApplication 
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).

During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.

Closes #68436
2026-05-07 16:30:03 -06:00

55 lines
1.5 KiB
TypeScript
Raw Blame History

/**
* @license
* Copyright Google LLC All Rights Reserved.
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.dev/license
*/
/* tslint:disable:no-console */
import {APP_BASE_HREF} from '@angular/common';
import {renderModule} from '@angular/platform-server';
import express from 'express';
import AppServerModule from './src/main.server';
import {fileURLToPath} from 'node:url';
import {dirname, join, resolve} from 'node:path';
import {readFileSync} from 'node:fs';
import './prerender';
const app = express();
const serverDistFolder = dirname(fileURLToPath(import.meta.url));
const browserDistFolder = resolve(serverDistFolder, '../browser');
const indexHtml = readFileSync(join(browserDistFolder, 'index.csr.html'), 'utf-8');
// Serve static files from /browser
app.use(
express.static(browserDistFolder, {
maxAge: '1y',
}),
);
// Mock API
app.get('/api', (req, res) => {
res.json({data: 'API 1 response'});
});
app.get('/api-2', (req, res) => {
res.json({data: 'API 2 response'});
});
// All regular routes use the Universal engine
app.use((req, res) => {
const {protocol, originalUrl, baseUrl, headers} = req;
renderModule(AppServerModule, {
document: indexHtml,
allowedHosts: ['localhost'],
url: `${protocol}://${headers.host}${originalUrl}`,
extraProviders: [{provide: APP_BASE_HREF, useValue: baseUrl}],
}).then((response: string) => {
res.send(response);
});
});
app.listen(4206, () => {
console.log('Server listening on port 4206!');
});
Reference in a new issue View git blame Copy permalink