fixup! fix(@angular/ssr): validate host headers to prevent header-based SSRF

Author: alan-agius4

packages/angular/ssr/node/src/common-engine/common-engine.ts

@@ -12,7 +12,7 @@ import { renderApplication, renderModule, ɵSERVER_CONTEXT } from '@angular/plat
 import * as fs from 'node:fs';
 import { dirname, join, normalize, resolve } from 'node:path';
 import { URL } from 'node:url';
-import { isHostAllowed } from '../../../src/utils/headers';
+import { isHostAllowed } from '../../../src/utils/validation';
 import { attachNodeGlobalErrorHandlers } from '../errors';
 import { CommonEngineInlineCriticalCssProcessor } from './inline-css-processor';
 import {

packages/angular/ssr/node/src/request.ts

@@ -8,7 +8,7 @@
 
 import type { IncomingHttpHeaders, IncomingMessage } from 'node:http';
 import type { Http2ServerRequest } from 'node:http2';
-import { getFirstHeaderValue } from '../../src/utils/headers';
+import { getFirstHeaderValue } from '../../src/utils/validation';
 
 /**
  * A set containing all the pseudo-headers defined in the HTTP/2 specification.

packages/angular/ssr/src/app-engine.ts

@@ -10,8 +10,8 @@ import type { AngularServerApp, getOrCreateAngularServerApp } from './app';
 import { Hooks } from './hooks';
 import { getPotentialLocaleIdFromUrl, getPreferredLocale } from './i18n';
 import { EntryPointExports, getAngularAppEngineManifest } from './manifest';
-import { validateHeaders } from './utils/headers';
 import { joinUrlParts } from './utils/url';
+import { validateRequest } from './utils/validation';
 
 /**
  * Angular server application engine.
@@ -80,7 +80,7 @@ export class AngularAppEngine {
    */
   async handle(request: Request, requestContext?: unknown): Promise<Response | null> {
     try {
-      validateHeaders(request, this.allowedHosts);
+      validateRequest(request, this.allowedHosts);
     } catch (error) {
       const body = error instanceof Error ? error.message : undefined;
 

packages/angular/ssr/src/utils/headers.ts …ages/angular/ssr/src/utils/validation.tspackages/angular/ssr/src/utils/headers.ts renamed to packages/angular/ssr/src/utils/validation.ts packages/angular/ssr/src/utils/headers.ts renamed to packages/angular/ssr/src/utils/validation.ts

@@ -53,29 +53,35 @@ export function getFirstHeaderValue(
 }
 
 /**
- * Validates the headers of an incoming request.
- *
- * This function checks for the validity of critical headers such as `x-forwarded-host`,
- *  `host`, `x-forwarded-port`, and `x-forwarded-proto`.
- * It ensures that the hostnames match the allowed hosts and that ports and protocols adhere to expected formats.
+ * Validates a request.
  *
- * @param request - The incoming `Request` object containing the headers to validate.
+ * @param request - The incoming `Request` object to validate.
  * @param allowedHosts - A set of allowed hostnames.
  * @throws Error if any of the validated headers contain invalid values.
  */
-export function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): void {
-  const headers = request.headers;
-  validateHost('x-forwarded-host', headers, allowedHosts);
-  validateHost('host', headers, allowedHosts);
+export function validateRequest(request: Request, allowedHosts: ReadonlySet<string>): void {
+  validateHeaders(request, allowedHosts);
+  validateUrl(new URL(request.url), allowedHosts);
+}
 
-  const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));
-  if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {
-    throw new Error('Header "x-forwarded-port" must be a numeric value.');
-  }
+/**
+ * Validates that the hostname of a given URL is allowed.
+ *
+ * @param url - The URL object to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if the hostname is not in the allowlist.
+ */
+export function validateUrl(url: URL, allowedHosts: ReadonlySet<string>): void {
+  if (!isHostAllowed(url.hostname, allowedHosts)) {
+    let errorMessage = `URL with hostname "${url.hostname}" is not allowed.`;
+    if (typeof ngDevMode === 'undefined' || ngDevMode) {
+      errorMessage +=
+        '\n\nAction Required: Update your "angular.json" to include this hostname. ' +
+        'Path: "projects.[project-name].architect.build.options.security.allowedHosts".' +
+        '\n\nFor more information, see https://angular.dev/guide/ssr#configuring-allowed-hosts';
+    }
 
-  const xForwardedProto = getFirstHeaderValue(headers.get('x-forwarded-proto'));
-  if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {
-    throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');
+    throw new Error(errorMessage);
   }
 }
 
@@ -87,7 +93,7 @@ export function validateHeaders(request: Request, allowedHosts: ReadonlySet<stri
  * @param allowedHosts - A set of allowed hostnames.
  * @throws Error if the header value is invalid or the hostname is not in the allowlist.
  */
-function validateHost(
+function validateHostHeaders(
   headerName: string,
   headers: Headers,
   allowedHosts: ReadonlySet<string>,
@@ -113,7 +119,8 @@ function validateHost(
     if (typeof ngDevMode === 'undefined' || ngDevMode) {
       errorMessage +=
         '\n\nAction Required: Update your "angular.json" to include this hostname. ' +
-        'Path: "projects.[project-name].architect.build.options.security.allowedHosts".';
+        'Path: "projects.[project-name].architect.build.options.security.allowedHosts".' +
+        '\n\nFor more information, see https://angular.dev/guide/ssr#configuring-allowed-hosts';
     }
 
     throw new Error(errorMessage);
@@ -157,3 +164,30 @@ function checkWildcardHostnames(hostname: string, allowedHosts: ReadonlySet<stri
 
   return false;
 }
+
+/**
+ * Validates the headers of an incoming request.
+ *
+ * This function checks for the validity of critical headers such as `x-forwarded-host`,
+ *  `host`, `x-forwarded-port`, and `x-forwarded-proto`.
+ * It ensures that the hostnames match the allowed hosts and that ports and protocols adhere to expected formats.
+ *
+ * @param request - The incoming `Request` object containing the headers to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if any of the validated headers contain invalid values.
+ */
+function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): void {
+  const headers = request.headers;
+  validateHostHeaders('x-forwarded-host', headers, allowedHosts);
+  validateHostHeaders('host', headers, allowedHosts);
+
+  const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));
+  if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {
+    throw new Error('Header "x-forwarded-port" must be a numeric value.');
+  }
+
+  const xForwardedProto = getFirstHeaderValue(headers.get('x-forwarded-proto'));
+  if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {
+    throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');
+  }
+}

…s/angular/ssr/test/utils/headers_spec.ts …ngular/ssr/test/utils/validation_spec.tspackages/angular/ssr/test/utils/headers_spec.ts renamed to packages/angular/ssr/test/utils/validation_spec.ts packages/angular/ssr/test/utils/headers_spec.ts renamed to packages/angular/ssr/test/utils/validation_spec.ts

@@ -6,9 +6,9 @@
  * found in the LICENSE file at https://angular.dev/license
  */
 
-import { validateHeaders } from '../../src/utils/headers';
+import { validateRequest, validateUrl } from '../../src/utils/validation';
 
-describe('validateHeaders', () => {
+describe('validateRequest', () => {
   const allowedHosts = new Set(['example.com', 'sub.example.com']);
 
   it('should pass valid headers with allowed host', () => {
@@ -21,7 +21,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).not.toThrow();
+    expect(() => validateRequest(request, allowedHosts)).not.toThrow();
   });
 
   it('should pass valid headers with localhost (default allowed)', () => {
@@ -31,7 +31,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).not.toThrow();
+    expect(() => validateRequest(request, allowedHosts)).not.toThrow();
   });
 
   it('should throw error for disallowed host', () => {
@@ -41,11 +41,13 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).toThrowError(
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
       /Header "host" with value "evil\.com" is not allowed/,
     );
   });
 
+  // ...
+
   it('should throw error for disallowed x-forwarded-host', () => {
     const request = new Request('https://example.com', {
       headers: {
@@ -54,7 +56,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).toThrowError(
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
       /Header "x-forwarded-host" with value "evil\.com" is not allowed/,
     );
   });
@@ -67,7 +69,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).toThrowError(
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
       'Header "x-forwarded-host" contains path separators which is not allowed.',
     );
   });
@@ -80,7 +82,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).toThrowError(
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
       'Header "x-forwarded-port" must be a numeric value.',
     );
   });
@@ -93,7 +95,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).toThrowError(
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
       'Header "x-forwarded-proto" must be either "http" or "https".',
     );
   });
@@ -106,7 +108,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).not.toThrow();
+    expect(() => validateRequest(request, allowedHosts)).not.toThrow();
   });
 
   it('should ignore port in host validation', () => {
@@ -116,7 +118,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).not.toThrow();
+    expect(() => validateRequest(request, allowedHosts)).not.toThrow();
   });
 
   it('should throw if host header is completely malformed url', () => {
@@ -126,7 +128,7 @@ describe('validateHeaders', () => {
       },
     });
 
-    expect(() => validateHeaders(request, allowedHosts)).toThrowError(
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
       'Header "host" contains an invalid value.',
     );
   });
@@ -141,7 +143,7 @@ describe('validateHeaders', () => {
         },
       });
 
-      expect(() => validateHeaders(request, wildcardHosts)).not.toThrow();
+      expect(() => validateRequest(request, wildcardHosts)).not.toThrow();
     });
 
     it('should match nested subdomain', () => {
@@ -151,7 +153,7 @@ describe('validateHeaders', () => {
         },
       });
 
-      expect(() => validateHeaders(request, wildcardHosts)).not.toThrow();
+      expect(() => validateRequest(request, wildcardHosts)).not.toThrow();
     });
 
     it('should not match base domain', () => {
@@ -161,7 +163,7 @@ describe('validateHeaders', () => {
         },
       });
 
-      expect(() => validateHeaders(request, wildcardHosts)).toThrowError(
+      expect(() => validateRequest(request, wildcardHosts)).toThrowError(
         /Header "host" with value "example\.com" is not allowed/,
       );
     });
@@ -173,9 +175,26 @@ describe('validateHeaders', () => {
         },
       });
 
-      expect(() => validateHeaders(request, wildcardHosts)).toThrowError(
+      expect(() => validateRequest(request, wildcardHosts)).toThrowError(
         /Header "host" with value "evil\.com" is not allowed/,
       );
     });
   });
+
+  it('should pass valid URL with allowed host', () => {
+    const request = new Request('https://example.com/path');
+    expect(() => validateRequest(request, allowedHosts)).not.toThrow();
+  });
+
+  it('should pass valid URL with allowed sub-domain', () => {
+    const request = new Request('https://sub.example.com/path');
+    expect(() => validateRequest(request, allowedHosts)).not.toThrow();
+  });
+
+  it('should throw error for disallowed host', () => {
+    const request = new Request('https://evil.com/path');
+    expect(() => validateRequest(request, allowedHosts)).toThrowError(
+      /URL with hostname "evil\.com" is not allowed/,
+    );
+  });
 });