fix(@angular/ssr): prevent open redirect via X-Forwarded-Prefix header

alan-agius4 · alan-agius4 · commit bdc4f23195da · 2026-02-20T11:01:25.000Z
This change addresses a security vulnerability where `joinUrlParts()` in `packages/angular/ssr/src/utils/url.ts` only stripped one leading slash from URL parts. When the `X-Forwarded-Prefix` header contains multiple leading slashes (e.g., `///evil.com`), the function previously produced a protocol-relative URL (e.g., `//evil.com/home`). If the application issues a redirect (e.g., via a generic redirect route), the browser interprets this 'Location' header as an external redirect to `https://evil.com/home`. This vulnerability poses a risk as open redirects can be used in phishing attacks. Additionally, since the redirect response may lack `Cache-Control` headers, intermediate CDNs could cache the poisoned redirect, serving it to other users. This commit fixes the issue by: 1. Updating `joinUrlParts` to internally strip *all* leading and trailing slashes from URL segments, preventing the formation of protocol-relative URLs from malicious input. 2. Adding strict validation for the `X-Forwarded-Prefix` header to immediately reject requests with values starting with multiple slashes (`//`). Closes #32501
diff --git a/packages/angular/ssr/src/utils/url.ts b/packages/angular/ssr/src/utils/url.ts
@@ -95,26 +95,32 @@ export function addTrailingSlash(url: string): string {
  * ```
  */
 export function joinUrlParts(...parts: string[]): string {
-  const normalizeParts: string[] = [];
+  const normalizedParts: string[] = [];
+
   for (const part of parts) {
     if (part === '') {
       // Skip any empty parts
       continue;
     }
 
-    let normalizedPart = part;
-    if (part[0] === '/') {
-      normalizedPart = normalizedPart.slice(1);
+    let start = 0;
+    let end = part.length;
+
+    // Use "Pointers" to avoid intermediate slices
+    while (start < end && part[start] === '/') {
+      start++;
     }
-    if (part.at(-1) === '/') {
-      normalizedPart = normalizedPart.slice(0, -1);
+
+    while (end > start && part[end - 1] === '/') {
+      end--;
     }
-    if (normalizedPart !== '') {
-      normalizeParts.push(normalizedPart);
+
+    if (start < end) {
+      normalizedParts.push(part.slice(start, end));
     }
   }
 
-  return addLeadingSlash(normalizeParts.join('/'));
+  return addLeadingSlash(normalizedParts.join('/'));
 }
 
 /**
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -205,4 +205,9 @@ function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): v
   if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {
     throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');
   }
+
+  const xForwardedPrefix = getFirstHeaderValue(headers.get('x-forwarded-prefix'));
+  if (xForwardedPrefix?.startsWith('//')) {
+    throw new Error('Header "x-forwarded-prefix" must not start with multiple "/".');
+  }
 }
diff --git a/packages/angular/ssr/test/utils/url_spec.ts b/packages/angular/ssr/test/utils/url_spec.ts
@@ -100,6 +100,18 @@ describe('URL Utils', () => {
     it('should handle an all-empty URL parts', () => {
       expect(joinUrlParts('', '')).toBe('/');
     });
+
+    it('should normalize parts with multiple leading and trailing slashes', () => {
+      expect(joinUrlParts('//path//', '///to///', '//resource//')).toBe('/path/to/resource');
+    });
+
+    it('should handle a single part', () => {
+      expect(joinUrlParts('path')).toBe('/path');
+    });
+
+    it('should handle parts containing only slashes', () => {
+      expect(joinUrlParts('//', '///')).toBe('/');
+    });
   });
 
   describe('stripIndexHtmlFromURL', () => {
diff --git a/packages/angular/ssr/test/utils/validation_spec.ts b/packages/angular/ssr/test/utils/validation_spec.ts
@@ -124,6 +124,19 @@ describe('Validation Utils', () => {
         'Header "x-forwarded-host" contains path separators which is not allowed.',
       );
     });
+
+    it('should throw error if x-forwarded-prefix starts with multiple slashes', () => {
+      const request = new Request('https://example.com', {
+        headers: {
+          'host': 'example.com',
+          'x-forwarded-prefix': '//evil',
+        },
+      });
+
+      expect(() => validateRequest(request, allowedHosts)).toThrowError(
+        'Header "x-forwarded-prefix" must not start with multiple "/".',
+      );
+    });
   });
 
   describe('cloneRequestWithPatchedHeaders', () => {

Original file line number	Diff line number	Diff line change
`@@ -205,4 +205,9 @@ function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): v`
`205`	`205`	`if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {`
`206`	`206`	`throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');`
`207`	`207`	`}`
	`208`	`+`
	`209`	`+ const xForwardedPrefix = getFirstHeaderValue(headers.get('x-forwarded-prefix'));`
	`210`	`+ if (xForwardedPrefix?.startsWith('//')) {`
	`211`	`+ throw new Error('Header "x-forwarded-prefix" must not start with multiple "/".');`
	`212`	`+ }`
`208`	`213`	`}`