fixup! fix(@angular/ssr): validate host headers to prevent header-based SSRF

alan-agius4 · alan-agius4 · commit 0a4fcefaa51f · 2026-02-17T08:48:37.000Z
diff --git a/packages/angular/ssr/node/src/common-engine/common-engine.ts b/packages/angular/ssr/node/src/common-engine/common-engine.ts
@@ -124,6 +124,10 @@ export class CommonEngine {
   }
 
   private validateHost(url: string): void {
+    if (!URL.canParse(url)) {
+      throw new Error(`URL "${url}" is invalid.`);
+    }
+
     const hostname = new URL(url).hostname.replace(WWW_HOST_REGEX, '');
 
     if (this.allowedHosts.has(hostname)) {
diff --git a/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/proxy_spec.ts b/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/proxy_spec.ts
@@ -56,7 +56,7 @@ describe('Serve SSR Builder', () => {
               .render({
                 bootstrap: AppServerModule,
                 documentFilePath: indexHtml,
-                url: req.originalUrl,
+                url: \`${protocol}://${headers.host}${originalUrl}\`,
                 publicPath: distFolder,
               })
               .then((html) => res.send(html))
diff --git a/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/ssl_spec.ts b/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/ssl_spec.ts
@@ -52,11 +52,12 @@ describe('Serve SSR Builder', () => {
           }));
 
           server.use((req, res, next) => {
+            const { protocol, originalUrl, baseUrl, headers } = req;
             commonEngine
               .render({
                 bootstrap: AppServerModule,
                 documentFilePath: indexHtml,
-                url: req.originalUrl,
+                url: \`${protocol}://${headers.host}${originalUrl}\`,
                 publicPath: distFolder,
               })
               .then((html) => res.send(html))
diff --git a/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/works_spec.ts b/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/works_spec.ts
@@ -55,7 +55,7 @@ describe('Serve SSR Builder', () => {
             .render({
               bootstrap: AppServerModule,
               documentFilePath: indexHtml,
-              url: req.originalUrl,
+              url: \`${protocol}://${headers.host}${originalUrl}\`,
               publicPath: distFolder,
             })
             .then((html) => res.send(html))

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ export class CommonEngine {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`private validateHost(url: string): void {`
	`127`	`+ if (!URL.canParse(url)) {`
	`128`	+ throw new Error(`URL "${url}" is invalid.`);
	`129`	`+ }`
	`130`	`+`
`127`	`131`	`const hostname = new URL(url).hostname.replace(WWW_HOST_REGEX, '');`
`128`	`132`
`129`	`133`	`if (this.allowedHosts.has(hostname)) {`