Alan Agius ede7c58a2a fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs ... The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL. This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`: ```typescript // Example usage in an Express server handling: http://localhost:4000//evil.com app.get('*', async (req, res) => { const html = await renderApplication(bootstrap, { document: template, url: req.url, // req.url is "//evil.com" }); res.send(html); }); ```		2026-04-15 10:23:52 -04:00
..
init	build: consolidate domino bundling in platform-server	2026-03-25 13:31:05 -07:00
src	fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs	2026-04-15 10:23:52 -04:00
test	fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs	2026-04-15 10:23:52 -04:00
testing	build: rename defaults2.bzl to defaults.bzl (#63383)	2025-08-25 15:45:01 -07:00
third_party/domino	build: consolidate domino bundling in platform-server	2026-03-25 13:31:05 -07:00
BUILD.bazel	build: consolidate domino bundling in platform-server	2026-03-25 13:31:05 -07:00
index.ts	refactor: update license text to point to angular.dev (#57901)	2024-09-24 15:33:00 +02:00
package.json	build: update minimum supported Node.js versions	2026-02-25 07:57:18 -08:00
PACKAGE.md	docs: drop glossary links (#55044)	2024-03-28 13:02:50 -07:00
public_api.ts	refactor: update license text to point to angular.dev (#57901)	2024-09-24 15:33:00 +02:00