fixup! fix(@angular/ssr): validate host headers to prevent header-based SSRF

Author: alan-agius4

packages/angular/build/src/builders/application/schema.json

@@ -53,7 +53,7 @@
       "additionalProperties": false,
       "properties": {
         "allowedHosts": {
-          "description": "A list of hosts that are allowed to access the server-side application.",
+          "description": "A list of hostnames that are allowed to access the server-side application. For more information, see https://angular.dev/guide/ssr#configuring-allowed-hosts.",
           "type": "array",
           "uniqueItems": true,
           "items": {

packages/angular/build/src/utils/server-rendering/manifest.ts

@@ -86,11 +86,7 @@ export function generateAngularServerAppEngineManifest(
   const manifestContent = `
 export default {
   basePath: '${basePath}',
-  allowedHosts: ${JSON.stringify(
-    allowedHosts.map((host) => host.replace(/^www\./i, '')),
-    undefined,
-    2,
-  )},
+  allowedHosts: ${JSON.stringify(allowedHosts, undefined, 2)},
   supportedLocales: ${JSON.stringify(supportedLocales, undefined, 2)},
   entryPoints: {
     ${Object.entries(entryPoints)

packages/angular/ssr/node/src/common-engine/common-engine.ts

@@ -12,6 +12,7 @@ import { renderApplication, renderModule, ɵSERVER_CONTEXT } from '@angular/plat
 import * as fs from 'node:fs';
 import { dirname, join, normalize, resolve } from 'node:path';
 import { URL } from 'node:url';
+import { isHostAllowed } from '../../../src/utils/validation';
 import { attachNodeGlobalErrorHandlers } from '../errors';
 import { CommonEngineInlineCriticalCssProcessor } from './inline-css-processor';
 import {
@@ -20,11 +21,6 @@ import {
   runMethodAndMeasurePerf,
 } from './peformance-profiler';
 
-/**
- * Regular expression to match and remove the `www.` prefix from hostnames.
- */
-const WWW_HOST_REGEX = /^www\./i;
-
 const SSG_MARKER_REGEXP = /ng-server-context=["']\w*\|?ssg\|?\w*["']/;
 
 export interface CommonEngineOptions {
@@ -75,13 +71,7 @@ export class CommonEngine {
   private readonly allowedHosts: ReadonlySet<string>;
 
   constructor(private options: CommonEngineOptions) {
-    this.allowedHosts = new Set([
-      ...options.allowedHosts.map((host) => host.replace(WWW_HOST_REGEX, '')),
-      'localhost',
-      '127.0.0.1',
-      '::1',
-      '[::1]',
-    ]);
+    this.allowedHosts = new Set(options.allowedHosts);
 
     attachNodeGlobalErrorHandlers();
   }
@@ -128,27 +118,12 @@ export class CommonEngine {
       throw new Error(`URL "${url}" is invalid.`);
     }
 
-    const hostname = new URL(url).hostname.replace(WWW_HOST_REGEX, '');
-
-    if (this.allowedHosts.has(hostname)) {
-      return;
-    }
-
-    // Support wildcard hostnames.
-    for (const allowedHost of this.allowedHosts) {
-      if (!allowedHost.startsWith('*.')) {
-        continue;
-      }
-
-      const domain = allowedHost.slice(1);
-      if (hostname.endsWith(domain)) {
-        return;
-      }
+    const hostname = new URL(url).hostname;
+    if (!isHostAllowed(hostname, this.allowedHosts)) {
+      throw new Error(
+        `Host ${hostname} is not allowed. Please provide a list of allowed hosts in the "allowedHosts" option.`,
+      );
     }
-
-    throw new Error(
-      `Host ${hostname} is not allowed. Please provide a list of allowed hosts in the "allowedHosts" option.`,
-    );
   }
 
   private inlineCriticalCss(html: string, opts: CommonEngineRenderOptions): Promise<string> {

packages/angular/ssr/node/src/request.ts

@@ -8,7 +8,7 @@
 
 import type { IncomingHttpHeaders, IncomingMessage } from 'node:http';
 import type { Http2ServerRequest } from 'node:http2';
-import { getFirstHeaderValue } from '../../src/utils/headers';
+import { getFirstHeaderValue } from '../../src/utils/validation';
 
 /**
  * A set containing all the pseudo-headers defined in the HTTP/2 specification.

packages/angular/ssr/src/app-engine.ts

@@ -10,8 +10,8 @@ import type { AngularServerApp, getOrCreateAngularServerApp } from './app';
 import { Hooks } from './hooks';
 import { getPotentialLocaleIdFromUrl, getPreferredLocale } from './i18n';
 import { EntryPointExports, getAngularAppEngineManifest } from './manifest';
-import { validateHeaders } from './utils/headers';
 import { joinUrlParts } from './utils/url';
+import { validateRequest } from './utils/validation';
 
 /**
  * Angular server application engine.
@@ -80,7 +80,7 @@ export class AngularAppEngine {
    */
   async handle(request: Request, requestContext?: unknown): Promise<Response | null> {
     try {
-      validateHeaders(request, this.allowedHosts);
+      validateRequest(request, this.allowedHosts);
     } catch (error) {
       const body = error instanceof Error ? error.message : undefined;
 

packages/angular/ssr/src/utils/headers.ts …ages/angular/ssr/src/utils/validation.tspackages/angular/ssr/src/utils/headers.ts renamed to packages/angular/ssr/src/utils/validation.ts packages/angular/ssr/src/utils/headers.ts renamed to packages/angular/ssr/src/utils/validation.ts

@@ -16,11 +16,6 @@ const VALID_PORT_REGEX = /^\d+$/;
  */
 const VALID_PROTO_REGEX = /^https?$/i;
 
-/**
- * Regular expression to match and remove the `www.` prefix from hostnames.
- */
-const WWW_HOST_REGEX = /^www\./i;
-
 /**
  * Regular expression to match path separators.
  */
@@ -58,29 +53,36 @@ export function getFirstHeaderValue(
 }
 
 /**
- * Validates the headers of an incoming request.
- *
- * This function checks for the validity of critical headers such as `x-forwarded-host`,
- *  `host`, `x-forwarded-port`, and `x-forwarded-proto`.
- * It ensures that the hostnames match the allowed hosts and that ports and protocols adhere to expected formats.
+ * Validates a request.
  *
- * @param request - The incoming `Request` object containing the headers to validate.
+ * @param request - The incoming `Request` object to validate.
  * @param allowedHosts - A set of allowed hostnames.
  * @throws Error if any of the validated headers contain invalid values.
  */
-export function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): void {
-  const headers = request.headers;
-  validateHost('x-forwarded-host', headers, allowedHosts);
-  validateHost('host', headers, allowedHosts);
+export function validateRequest(request: Request, allowedHosts: ReadonlySet<string>): void {
+  validateHeaders(request, allowedHosts);
+  validateUrl(new URL(request.url), allowedHosts);
+}
 
-  const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));
-  if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {
-    throw new Error('Header "x-forwarded-port" must be a numeric value.');
-  }
+/**
+ * Validates that the hostname of a given URL is allowed.
+ *
+ * @param url - The URL object to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if the hostname is not in the allowlist.
+ */
+export function validateUrl(url: URL, allowedHosts: ReadonlySet<string>): void {
+  const { hostname } = url;
+  if (!isHostAllowed(hostname, allowedHosts)) {
+    let errorMessage = `URL with hostname "${hostname}" is not allowed.`;
+    if (typeof ngDevMode === 'undefined' || ngDevMode) {
+      errorMessage +=
+        '\n\nAction Required: Update your "angular.json" to include this hostname. ' +
+        'Path: "projects.[project-name].architect.build.options.security.allowedHosts".' +
+        '\n\nFor more information, see https://angular.dev/guide/ssr#configuring-allowed-hosts';
+    }
 
-  const xForwardedProto = getFirstHeaderValue(headers.get('x-forwarded-proto'));
-  if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {
-    throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');
+    throw new Error(errorMessage);
   }
 }
 
@@ -92,12 +94,12 @@ export function validateHeaders(request: Request, allowedHosts: ReadonlySet<stri
  * @param allowedHosts - A set of allowed hostnames.
  * @throws Error if the header value is invalid or the hostname is not in the allowlist.
  */
-function validateHost(
+function validateHostHeaders(
   headerName: string,
   headers: Headers,
   allowedHosts: ReadonlySet<string>,
 ): void {
-  const value = getFirstHeaderValue(headers.get(headerName))?.replace(WWW_HOST_REGEX, '');
+  const value = getFirstHeaderValue(headers.get(headerName));
   if (!value) {
     return;
   }
@@ -113,25 +115,34 @@ function validateHost(
   }
 
   const { hostname } = new URL(url);
-  if (
+  if (!isHostAllowed(hostname, allowedHosts)) {
+    let errorMessage = `Header "${headerName}" with value "${value}" is not allowed.`;
+    if (typeof ngDevMode === 'undefined' || ngDevMode) {
+      errorMessage +=
+        '\n\nAction Required: Update your "angular.json" to include this hostname. ' +
+        'Path: "projects.[project-name].architect.build.options.security.allowedHosts".' +
+        '\n\nFor more information, see https://angular.dev/guide/ssr#configuring-allowed-hosts';
+    }
+
+    throw new Error(errorMessage);
+  }
+}
+
+/**
+ * Checks if the hostname is allowed.
+ * @param hostname - The hostname to check.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @returns `true` if the hostname is allowed, `false` otherwise.
+ */
+export function isHostAllowed(hostname: string, allowedHosts: ReadonlySet<string>): boolean {
+  return (
     // Check the provided allowed hosts first.
     allowedHosts.has(hostname) ||
     checkWildcardHostnames(hostname, allowedHosts) ||
     // Check the default allowed hosts last this is the fallback and should be rarely if ever used in production.
     DEFAULT_ALLOWED_HOSTS.has(hostname) ||
     checkWildcardHostnames(hostname, DEFAULT_ALLOWED_HOSTS)
-  ) {
-    return;
-  }
-
-  let errorMessage = `Header "${headerName}" with value "${value}" is not allowed.`;
-  if (typeof ngDevMode === 'undefined' || ngDevMode) {
-    errorMessage +=
-      '\n\nAction Required: Update your "angular.json" to include this hostname. ' +
-      'Path: "projects.[project-name].architect.build.options.security.allowedHosts".';
-  }
-
-  throw new Error(errorMessage);
+  );
 }
 
 /**
@@ -154,3 +165,30 @@ function checkWildcardHostnames(hostname: string, allowedHosts: ReadonlySet<stri
 
   return false;
 }
+
+/**
+ * Validates the headers of an incoming request.
+ *
+ * This function checks for the validity of critical headers such as `x-forwarded-host`,
+ *  `host`, `x-forwarded-port`, and `x-forwarded-proto`.
+ * It ensures that the hostnames match the allowed hosts and that ports and protocols adhere to expected formats.
+ *
+ * @param request - The incoming `Request` object containing the headers to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if any of the validated headers contain invalid values.
+ */
+function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): void {
+  const headers = request.headers;
+  validateHostHeaders('x-forwarded-host', headers, allowedHosts);
+  validateHostHeaders('host', headers, allowedHosts);
+
+  const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));
+  if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {
+    throw new Error('Header "x-forwarded-port" must be a numeric value.');
+  }
+
+  const xForwardedProto = getFirstHeaderValue(headers.get('x-forwarded-proto'));
+  if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {
+    throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');
+  }
+}