@angular/ssr 20.3.15 → 20.3.17

package/fesm2022/validation.mjs

@@ -0,0 +1,213 @@
+/**
+ * The set of headers that should be validated for host header injection attacks.
+ */
+const HOST_HEADERS_TO_VALIDATE = new Set(['host', 'x-forwarded-host']);
+/**
+ * Regular expression to validate that the port is a numeric value.
+ */
+const VALID_PORT_REGEX = /^\d+$/;
+/**
+ * Regular expression to validate that the protocol is either http or https (case-insensitive).
+ */
+const VALID_PROTO_REGEX = /^https?$/i;
+/**
+ * Regular expression to validate that the host is a valid hostname.
+ */
+const VALID_HOST_REGEX = /^[a-z0-9.:-]+$/i;
+/**
+ * Regular expression to validate that the prefix is valid.
+ */
+const INVALID_PREFIX_REGEX = /^[/\\]{2}|(?:^|[/\\])\.\.?(?:[/\\]|$)/;
+/**
+ * Extracts the first value from a multi-value header string.
+ *
+ * @param value - A string or an array of strings representing the header values.
+ *                If it's a string, values are expected to be comma-separated.
+ * @returns The first trimmed value from the multi-value header, or `undefined` if the input is invalid or empty.
+ *
+ * @example
+ * ```typescript
+ * getFirstHeaderValue("value1, value2, value3"); // "value1"
+ * getFirstHeaderValue(["value1", "value2"]); // "value1"
+ * getFirstHeaderValue(undefined); // undefined
+ * ```
+ */
+function getFirstHeaderValue(value) {
+    return value?.toString().split(',', 1)[0]?.trim();
+}
+/**
+ * Validates a request.
+ *
+ * @param request - The incoming `Request` object to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if any of the validated headers contain invalid values.
+ */
+function validateRequest(request, allowedHosts) {
+    validateHeaders(request);
+    validateUrl(new URL(request.url), allowedHosts);
+}
+/**
+ * Validates that the hostname of a given URL is allowed.
+ *
+ * @param url - The URL object to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if the hostname is not in the allowlist.
+ */
+function validateUrl(url, allowedHosts) {
+    const { hostname } = url;
+    if (!isHostAllowed(hostname, allowedHosts)) {
+        throw new Error(`URL with hostname "${hostname}" is not allowed.`);
+    }
+}
+/**
+ * Clones a request and patches the `get` method of the request headers to validate the host headers.
+ * @param request - The request to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @returns An object containing the cloned request and a promise that resolves to an error
+ * if any of the validated headers contain invalid values.
+ */
+function cloneRequestAndPatchHeaders(request, allowedHosts) {
+    let onError;
+    const onErrorPromise = new Promise((resolve) => {
+        onError = resolve;
+    });
+    const clonedReq = new Request(request.clone(), {
+        signal: request.signal,
+    });
+    const headers = clonedReq.headers;
+    const originalGet = headers.get;
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+    headers.get = function (name) {
+        const value = originalGet.call(headers, name);
+        if (!value) {
+            return value;
+        }
+        validateHeader(name, value, allowedHosts, onError);
+        return value;
+    };
+    const originalValues = headers.values;
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+    headers.values = function () {
+        for (const name of HOST_HEADERS_TO_VALIDATE) {
+            validateHeader(name, originalGet.call(headers, name), allowedHosts, onError);
+        }
+        return originalValues.call(headers);
+    };
+    const originalEntries = headers.entries;
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+    headers.entries = function () {
+        const iterator = originalEntries.call(headers);
+        return {
+            next() {
+                const result = iterator.next();
+                if (!result.done) {
+                    const [key, value] = result.value;
+                    validateHeader(key, value, allowedHosts, onError);
+                }
+                return result;
+            },
+            [Symbol.iterator]() {
+                return this;
+            },
+        };
+    };
+    // Ensure for...of loops use the new patched entries
+    headers[Symbol.iterator] = headers.entries;
+    return { request: clonedReq, onError: onErrorPromise };
+}
+/**
+ * Validates a specific header value against the allowed hosts.
+ * @param name - The name of the header to validate.
+ * @param value - The value of the header to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @param onError - A callback function to call if the header value is invalid.
+ * @throws Error if the header value is invalid.
+ */
+function validateHeader(name, value, allowedHosts, onError) {
+    if (!value) {
+        return;
+    }
+    if (!HOST_HEADERS_TO_VALIDATE.has(name.toLowerCase())) {
+        return;
+    }
+    try {
+        verifyHostAllowed(name, value, allowedHosts);
+    }
+    catch (error) {
+        onError(error);
+        throw error;
+    }
+}
+/**
+ * Validates a specific host header value against the allowed hosts.
+ *
+ * @param headerName - The name of the header to validate (e.g., 'host', 'x-forwarded-host').
+ * @param headerValue - The value of the header to validate.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @throws Error if the header value is invalid or the hostname is not in the allowlist.
+ */
+function verifyHostAllowed(headerName, headerValue, allowedHosts) {
+    const value = getFirstHeaderValue(headerValue);
+    if (!value) {
+        return;
+    }
+    const url = `http://${value}`;
+    if (!URL.canParse(url)) {
+        throw new Error(`Header "${headerName}" contains an invalid value and cannot be parsed.`);
+    }
+    const { hostname } = new URL(url);
+    if (!isHostAllowed(hostname, allowedHosts)) {
+        throw new Error(`Header "${headerName}" with value "${value}" is not allowed.`);
+    }
+}
+/**
+ * Checks if the hostname is allowed.
+ * @param hostname - The hostname to check.
+ * @param allowedHosts - A set of allowed hostnames.
+ * @returns `true` if the hostname is allowed, `false` otherwise.
+ */
+function isHostAllowed(hostname, allowedHosts) {
+    if (allowedHosts.has(hostname)) {
+        return true;
+    }
+    for (const allowedHost of allowedHosts) {
+        if (!allowedHost.startsWith('*.')) {
+            continue;
+        }
+        const domain = allowedHost.slice(1);
+        if (hostname.endsWith(domain)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Validates the headers of an incoming request.
+ *
+ * @param request - The incoming `Request` object containing the headers to validate.
+ * @throws Error if any of the validated headers contain invalid values.
+ */
+function validateHeaders(request) {
+    const headers = request.headers;
+    for (const headerName of HOST_HEADERS_TO_VALIDATE) {
+        const headerValue = getFirstHeaderValue(headers.get(headerName));
+        if (headerValue && !VALID_HOST_REGEX.test(headerValue)) {
+            throw new Error(`Header "${headerName}" contains characters that are not allowed.`);
+        }
+    }
+    const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));
+    if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {
+        throw new Error('Header "x-forwarded-port" must be a numeric value.');
+    }
+    const xForwardedProto = getFirstHeaderValue(headers.get('x-forwarded-proto'));
+    if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {
+        throw new Error('Header "x-forwarded-proto" must be either "http" or "https".');
+    }
+    const xForwardedPrefix = getFirstHeaderValue(headers.get('x-forwarded-prefix'));
+    if (xForwardedPrefix && INVALID_PREFIX_REGEX.test(xForwardedPrefix)) {
+        throw new Error('Header "x-forwarded-prefix" must not start with multiple "/" or "\\" or contain ".", ".." path segments.');
+    }
+}
+
+export { cloneRequestAndPatchHeaders, getFirstHeaderValue, validateRequest, validateUrl };
+//# sourceMappingURL=validation.mjs.map

package/fesm2022/validation.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.mjs","sources":["../../../../../../k8-fastbuild-ST-199a4f3c4e20/bin/packages/angular/ssr/src/utils/validation.ts"],"sourcesContent":["/**\n * @license\n * Copyright Google LLC All Rights Reserved.\n *\n * Use of this source code is governed by an MIT-style license that can be\n * found in the LICENSE file at https://angular.dev/license\n */\n\n/**\n * The set of headers that should be validated for host header injection attacks.\n */\nconst HOST_HEADERS_TO_VALIDATE: ReadonlySet<string> = new Set(['host', 'x-forwarded-host']);\n\n/**\n * Regular expression to validate that the port is a numeric value.\n */\nconst VALID_PORT_REGEX = /^\\d+$/;\n\n/**\n * Regular expression to validate that the protocol is either http or https (case-insensitive).\n */\nconst VALID_PROTO_REGEX = /^https?$/i;\n\n/**\n * Regular expression to validate that the host is a valid hostname.\n */\nconst VALID_HOST_REGEX = /^[a-z0-9.:-]+$/i;\n\n/**\n * Regular expression to validate that the prefix is valid.\n */\nconst INVALID_PREFIX_REGEX = /^[/\\\\]{2}|(?:^|[/\\\\])\\.\\.?(?:[/\\\\]|$)/;\n\n/**\n * Extracts the first value from a multi-value header string.\n *\n * @param value - A string or an array of strings representing the header values.\n *                If it's a string, values are expected to be comma-separated.\n * @returns The first trimmed value from the multi-value header, or `undefined` if the input is invalid or empty.\n *\n * @example\n * ```typescript\n * getFirstHeaderValue(\"value1, value2, value3\"); // \"value1\"\n * getFirstHeaderValue([\"value1\", \"value2\"]); // \"value1\"\n * getFirstHeaderValue(undefined); // undefined\n * ```\n */\nexport function getFirstHeaderValue(\n  value: string | string[] | undefined | null,\n): string | undefined {\n  return value?.toString().split(',', 1)[0]?.trim();\n}\n\n/**\n * Validates a request.\n *\n * @param request - The incoming `Request` object to validate.\n * @param allowedHosts - A set of allowed hostnames.\n * @throws Error if any of the validated headers contain invalid values.\n */\nexport function validateRequest(request: Request, allowedHosts: ReadonlySet<string>): void {\n  validateHeaders(request);\n  validateUrl(new URL(request.url), allowedHosts);\n}\n\n/**\n * Validates that the hostname of a given URL is allowed.\n *\n * @param url - The URL object to validate.\n * @param allowedHosts - A set of allowed hostnames.\n * @throws Error if the hostname is not in the allowlist.\n */\nexport function validateUrl(url: URL, allowedHosts: ReadonlySet<string>): void {\n  const { hostname } = url;\n  if (!isHostAllowed(hostname, allowedHosts)) {\n    throw new Error(`URL with hostname \"${hostname}\" is not allowed.`);\n  }\n}\n\n/**\n * Clones a request and patches the `get` method of the request headers to validate the host headers.\n * @param request - The request to validate.\n * @param allowedHosts - A set of allowed hostnames.\n * @returns An object containing the cloned request and a promise that resolves to an error\n * if any of the validated headers contain invalid values.\n */\nexport function cloneRequestAndPatchHeaders(\n  request: Request,\n  allowedHosts: ReadonlySet<string>,\n): { request: Request; onError: Promise<Error> } {\n  let onError: (value: Error) => void;\n  const onErrorPromise = new Promise<Error>((resolve) => {\n    onError = resolve;\n  });\n\n  const clonedReq = new Request(request.clone(), {\n    signal: request.signal,\n  });\n\n  const headers = clonedReq.headers;\n\n  const originalGet = headers.get;\n  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion\n  (headers.get as typeof originalGet) = function (name) {\n    const value = originalGet.call(headers, name);\n    if (!value) {\n      return value;\n    }\n\n    validateHeader(name, value, allowedHosts, onError);\n\n    return value;\n  };\n\n  const originalValues = headers.values;\n  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion\n  (headers.values as typeof originalValues) = function () {\n    for (const name of HOST_HEADERS_TO_VALIDATE) {\n      validateHeader(name, originalGet.call(headers, name), allowedHosts, onError);\n    }\n\n    return originalValues.call(headers);\n  };\n\n  const originalEntries = headers.entries;\n  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion\n  (headers.entries as typeof originalEntries) = function () {\n    const iterator = originalEntries.call(headers);\n\n    return {\n      next() {\n        const result = iterator.next();\n        if (!result.done) {\n          const [key, value] = result.value;\n          validateHeader(key, value, allowedHosts, onError);\n        }\n\n        return result;\n      },\n      [Symbol.iterator]() {\n        return this;\n      },\n    };\n  };\n\n  // Ensure for...of loops use the new patched entries\n  (headers[Symbol.iterator] as typeof originalEntries) = headers.entries;\n\n  return { request: clonedReq, onError: onErrorPromise };\n}\n\n/**\n * Validates a specific header value against the allowed hosts.\n * @param name - The name of the header to validate.\n * @param value - The value of the header to validate.\n * @param allowedHosts - A set of allowed hostnames.\n * @param onError - A callback function to call if the header value is invalid.\n * @throws Error if the header value is invalid.\n */\nfunction validateHeader(\n  name: string,\n  value: string | null,\n  allowedHosts: ReadonlySet<string>,\n  onError: (value: Error) => void,\n): void {\n  if (!value) {\n    return;\n  }\n\n  if (!HOST_HEADERS_TO_VALIDATE.has(name.toLowerCase())) {\n    return;\n  }\n\n  try {\n    verifyHostAllowed(name, value, allowedHosts);\n  } catch (error) {\n    onError(error as Error);\n\n    throw error;\n  }\n}\n\n/**\n * Validates a specific host header value against the allowed hosts.\n *\n * @param headerName - The name of the header to validate (e.g., 'host', 'x-forwarded-host').\n * @param headerValue - The value of the header to validate.\n * @param allowedHosts - A set of allowed hostnames.\n * @throws Error if the header value is invalid or the hostname is not in the allowlist.\n */\nfunction verifyHostAllowed(\n  headerName: string,\n  headerValue: string,\n  allowedHosts: ReadonlySet<string>,\n): void {\n  const value = getFirstHeaderValue(headerValue);\n  if (!value) {\n    return;\n  }\n\n  const url = `http://${value}`;\n  if (!URL.canParse(url)) {\n    throw new Error(`Header \"${headerName}\" contains an invalid value and cannot be parsed.`);\n  }\n\n  const { hostname } = new URL(url);\n  if (!isHostAllowed(hostname, allowedHosts)) {\n    throw new Error(`Header \"${headerName}\" with value \"${value}\" is not allowed.`);\n  }\n}\n\n/**\n * Checks if the hostname is allowed.\n * @param hostname - The hostname to check.\n * @param allowedHosts - A set of allowed hostnames.\n * @returns `true` if the hostname is allowed, `false` otherwise.\n */\nfunction isHostAllowed(hostname: string, allowedHosts: ReadonlySet<string>): boolean {\n  if (allowedHosts.has(hostname)) {\n    return true;\n  }\n\n  for (const allowedHost of allowedHosts) {\n    if (!allowedHost.startsWith('*.')) {\n      continue;\n    }\n\n    const domain = allowedHost.slice(1);\n    if (hostname.endsWith(domain)) {\n      return true;\n    }\n  }\n\n  return false;\n}\n\n/**\n * Validates the headers of an incoming request.\n *\n * @param request - The incoming `Request` object containing the headers to validate.\n * @throws Error if any of the validated headers contain invalid values.\n */\nfunction validateHeaders(request: Request): void {\n  const headers = request.headers;\n  for (const headerName of HOST_HEADERS_TO_VALIDATE) {\n    const headerValue = getFirstHeaderValue(headers.get(headerName));\n    if (headerValue && !VALID_HOST_REGEX.test(headerValue)) {\n      throw new Error(`Header \"${headerName}\" contains characters that are not allowed.`);\n    }\n  }\n\n  const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));\n  if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {\n    throw new Error('Header \"x-forwarded-port\" must be a numeric value.');\n  }\n\n  const xForwardedProto = getFirstHeaderValue(headers.get('x-forwarded-proto'));\n  if (xForwardedProto && !VALID_PROTO_REGEX.test(xForwardedProto)) {\n    throw new Error('Header \"x-forwarded-proto\" must be either \"http\" or \"https\".');\n  }\n\n  const xForwardedPrefix = getFirstHeaderValue(headers.get('x-forwarded-prefix'));\n  if (xForwardedPrefix && INVALID_PREFIX_REGEX.test(xForwardedPrefix)) {\n    throw new Error(\n      'Header \"x-forwarded-prefix\" must not start with multiple \"/\" or \"\\\\\" or contain \".\", \"..\" path segments.',\n    );\n  }\n}\n"],"names":[],"mappings":"AAQA;;AAEG;AACH,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;AAE3F;;AAEG;AACH,MAAM,gBAAgB,GAAG,OAAO;AAEhC;;AAEG;AACH,MAAM,iBAAiB,GAAG,WAAW;AAErC;;AAEG;AACH,MAAM,gBAAgB,GAAG,iBAAiB;AAE1C;;AAEG;AACH,MAAM,oBAAoB,GAAG,uCAAuC;AAEpE;;;;;;;;;;;;;AAaG;AACG,SAAU,mBAAmB,CACjC,KAA2C,EAAA;AAE3C,IAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;AACnD;AAEA;;;;;;AAMG;AACa,SAAA,eAAe,CAAC,OAAgB,EAAE,YAAiC,EAAA;IACjF,eAAe,CAAC,OAAO,CAAC;IACxB,WAAW,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,YAAY,CAAC;AACjD;AAEA;;;;;;AAMG;AACa,SAAA,WAAW,CAAC,GAAQ,EAAE,YAAiC,EAAA;AACrE,IAAA,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG;IACxB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE;AAC1C,QAAA,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAA,iBAAA,CAAmB,CAAC;;AAEtE;AAEA;;;;;;AAMG;AACa,SAAA,2BAA2B,CACzC,OAAgB,EAChB,YAAiC,EAAA;AAEjC,IAAA,IAAI,OAA+B;IACnC,MAAM,cAAc,GAAG,IAAI,OAAO,CAAQ,CAAC,OAAO,KAAI;QACpD,OAAO,GAAG,OAAO;AACnB,KAAC,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE;QAC7C,MAAM,EAAE,OAAO,CAAC,MAAM;AACvB,KAAA,CAAC;AAEF,IAAA,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO;AAEjC,IAAA,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG;;AAE9B,IAAA,OAAO,CAAC,GAA0B,GAAG,UAAU,IAAI,EAAA;QAClD,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC;QAC7C,IAAI,CAAC,KAAK,EAAE;AACV,YAAA,OAAO,KAAK;;QAGd,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,CAAC;AAElD,QAAA,OAAO,KAAK;AACd,KAAC;AAED,IAAA,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM;;IAEpC,OAAO,CAAC,MAAgC,GAAG,YAAA;AAC1C,QAAA,KAAK,MAAM,IAAI,IAAI,wBAAwB,EAAE;AAC3C,YAAA,cAAc,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,YAAY,EAAE,OAAO,CAAC;;AAG9E,QAAA,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;AACrC,KAAC;AAED,IAAA,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO;;IAEtC,OAAO,CAAC,OAAkC,GAAG,YAAA;QAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAE9C,OAAO;YACL,IAAI,GAAA;AACF,gBAAA,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE;AAC9B,gBAAA,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;oBAChB,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK;oBACjC,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,CAAC;;AAGnD,gBAAA,OAAO,MAAM;aACd;YACD,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAA;AACf,gBAAA,OAAO,IAAI;aACZ;SACF;AACH,KAAC;;IAGA,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA4B,GAAG,OAAO,CAAC,OAAO;IAEtE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,EAAE;AACxD;AAEA;;;;;;;AAOG;AACH,SAAS,cAAc,CACrB,IAAY,EACZ,KAAoB,EACpB,YAAiC,EACjC,OAA+B,EAAA;IAE/B,IAAI,CAAC,KAAK,EAAE;QACV;;IAGF,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE;QACrD;;AAGF,IAAA,IAAI;AACF,QAAA,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC;;IAC5C,OAAO,KAAK,EAAE;QACd,OAAO,CAAC,KAAc,CAAC;AAEvB,QAAA,MAAM,KAAK;;AAEf;AAEA;;;;;;;AAOG;AACH,SAAS,iBAAiB,CACxB,UAAkB,EAClB,WAAmB,EACnB,YAAiC,EAAA;AAEjC,IAAA,MAAM,KAAK,GAAG,mBAAmB,CAAC,WAAW,CAAC;IAC9C,IAAI,CAAC,KAAK,EAAE;QACV;;AAGF,IAAA,MAAM,GAAG,GAAG,CAAU,OAAA,EAAA,KAAK,EAAE;IAC7B,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;AACtB,QAAA,MAAM,IAAI,KAAK,CAAC,WAAW,UAAU,CAAA,iDAAA,CAAmD,CAAC;;IAG3F,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC;IACjC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE;QAC1C,MAAM,IAAI,KAAK,CAAC,CAAA,QAAA,EAAW,UAAU,CAAiB,cAAA,EAAA,KAAK,CAAmB,iBAAA,CAAA,CAAC;;AAEnF;AAEA;;;;;AAKG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,YAAiC,EAAA;AACxE,IAAA,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE;AAC9B,QAAA,OAAO,IAAI;;AAGb,IAAA,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE;QACtC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE;YACjC;;QAGF,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;AACnC,QAAA,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;AAC7B,YAAA,OAAO,IAAI;;;AAIf,IAAA,OAAO,KAAK;AACd;AAEA;;;;;AAKG;AACH,SAAS,eAAe,CAAC,OAAgB,EAAA;AACvC,IAAA,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO;AAC/B,IAAA,KAAK,MAAM,UAAU,IAAI,wBAAwB,EAAE;QACjD,MAAM,WAAW,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAChE,IAAI,WAAW,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE;AACtD,YAAA,MAAM,IAAI,KAAK,CAAC,WAAW,UAAU,CAAA,2CAAA,CAA6C,CAAC;;;IAIvF,MAAM,cAAc,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC3E,IAAI,cAAc,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE;AAC5D,QAAA,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC;;IAGvE,MAAM,eAAe,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAC7E,IAAI,eAAe,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE;AAC/D,QAAA,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC;;IAGjF,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAC/E,IAAI,gBAAgB,IAAI,oBAAoB,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE;AACnE,QAAA,MAAM,IAAI,KAAK,CACb,0GAA0G,CAC3G;;AAEL;;;;"}

package/index.d.ts

@@ -1,6 +1,8 @@
 import { Type, EnvironmentProviders, Provider, ApplicationRef } from '@angular/core';
 import { DefaultExport } from '@angular/router';
 import { BootstrapContext } from '@angular/platform-browser';
+import { Hooks } from './app-engine.js';
+export { AngularAppEngine, AngularAppEngineOptions } from './app-engine.js';
 import Beasties from './third_party/beasties';
 
 /**
@@ -498,6 +500,10 @@ interface AngularAppEngineManifest {
      * - `value`: The url segment associated with that locale.
      */
     readonly supportedLocales: Readonly<Record<string, string>>;
+    /**
+     * A readonly array of allowed hostnames.
+     */
+    readonly allowedHosts: Readonly<string[]>;
 }
 /**
  * Manifest for a specific Angular server application, defining assets and bootstrap logic.
@@ -653,67 +659,6 @@ declare function extractRoutesAndCreateRouteTree(options: {
     errors: string[];
 }>;
 
-/**
- * Defines a handler function type for transforming HTML content.
- * This function receives an object with the HTML to be processed.
- *
- * @param ctx - An object containing the URL and HTML content to be transformed.
- * @returns The transformed HTML as a string or a promise that resolves to the transformed HTML.
- */
-type HtmlTransformHandler = (ctx: {
-    url: URL;
-    html: string;
-}) => string | Promise<string>;
-/**
- * Defines the names of available hooks for registering and triggering custom logic within the application.
- */
-type HookName = keyof HooksMapping;
-/**
- * Mapping of hook names to their corresponding handler types.
- */
-interface HooksMapping {
-    'html:transform:pre': HtmlTransformHandler;
-}
-/**
- * Manages a collection of hooks and provides methods to register and execute them.
- * Hooks are functions that can be invoked with specific arguments to allow modifications or enhancements.
- */
-declare class Hooks {
-    /**
-     * A map of hook names to arrays of hook functions.
-     * Each hook name can have multiple associated functions, which are executed in sequence.
-     */
-    private readonly store;
-    /**
-     * Registers a new hook function under the specified hook name.
-     * This function should be a function that takes an argument of type `T` and returns a `string` or `Promise<string>`.
-     *
-     * @template Hook - The type of the hook name. It should be one of the keys of `HooksMapping`.
-     * @param name - The name of the hook under which the function will be registered.
-     * @param handler - A function to be executed when the hook is triggered. The handler will be called with an argument
-     *                  that may be modified by the hook functions.
-     *
-     * @remarks
-     * - If there are existing handlers registered under the given hook name, the new handler will be added to the list.
-     * - If no handlers are registered under the given hook name, a new list will be created with the handler as its first element.
-     *
-     * @example
-     * ```typescript
-     * hooks.on('html:transform:pre', async (ctx) => {
-     *   return ctx.html.replace(/foo/g, 'bar');
-     * });
-     * ```
-     */
-    on<Hook extends HookName>(name: Hook, handler: HooksMapping[Hook]): void;
-    /**
-     * Checks if there are any hooks registered under the specified name.
-     *
-     * @param name - The name of the hook to check.
-     * @returns `true` if there are hooks registered under the specified name, otherwise `false`.
-     */
-    has(name: HookName): boolean;
-}
-
 /**
  * Options for configuring an `AngularServerApp`.
  */
@@ -931,98 +876,6 @@ declare class InlineCriticalCssProcessor extends BeastiesBase {
     private conditionallyInsertCspLoadingScript;
 }
 
-/**
- * Angular server application engine.
- * Manages Angular server applications (including localized ones), handles rendering requests,
- * and optionally transforms index HTML before rendering.
- *
- * @remarks This class should be instantiated once and used as a singleton across the server-side
- * application to ensure consistent handling of rendering requests and resource management.
- */
-declare class AngularAppEngine {
-    /**
-     * A flag to enable or disable the rendering of prerendered routes.
-     *
-     * Typically used during development to avoid prerendering all routes ahead of time,
-     * allowing them to be rendered on the fly as requested.
-     *
-     * @private
-     */
-    static ɵallowStaticRouteRender: boolean;
-    /**
-     * Hooks for extending or modifying the behavior of the server application.
-     * These hooks are used by the Angular CLI when running the development server and
-     * provide extensibility points for the application lifecycle.
-     *
-     * @private
-     */
-    static ɵhooks: Hooks;
-    /**
-     * The manifest for the server application.
-     */
-    private readonly manifest;
-    /**
-     * A map of supported locales from the server application's manifest.
-     */
-    private readonly supportedLocales;
-    /**
-     * A cache that holds entry points, keyed by their potential locale string.
-     */
-    private readonly entryPointsCache;
-    /**
-     * Handles an incoming HTTP request by serving prerendered content, performing server-side rendering,
-     * or delivering a static file for client-side rendered routes based on the `RenderMode` setting.
-     *
-     * @param request - The HTTP request to handle.
-     * @param requestContext - Optional context for rendering, such as metadata associated with the request.
-     * @returns A promise that resolves to the resulting HTTP response object, or `null` if no matching Angular route is found.
-     *
-     * @remarks A request to `https://www.example.com/page/index.html` will serve or render the Angular route
-     * corresponding to `https://www.example.com/page`.
-     */
-    handle(request: Request, requestContext?: unknown): Promise<Response | null>;
-    /**
-     * Handles requests for the base path when i18n is enabled.
-     * Redirects the user to a locale-specific path based on the `Accept-Language` header.
-     *
-     * @param request The incoming request.
-     * @returns A `Response` object with a 302 redirect, or `null` if i18n is not enabled
-     *          or the request is not for the base path.
-     */
-    private redirectBasedOnAcceptLanguage;
-    /**
-     * Retrieves the Angular server application instance for a given request.
-     *
-     * This method checks if the request URL corresponds to an Angular application entry point.
-     * If so, it initializes or retrieves an instance of the Angular server application for that entry point.
-     * Requests that resemble file requests (except for `/index.html`) are skipped.
-     *
-     * @param request - The incoming HTTP request object.
-     * @returns A promise that resolves to an `AngularServerApp` instance if a valid entry point is found,
-     * or `null` if no entry point matches the request URL.
-     */
-    private getAngularServerAppForRequest;
-    /**
-     * Retrieves the exports for a specific entry point, caching the result.
-     *
-     * @param potentialLocale - The locale string used to find the corresponding entry point.
-     * @returns A promise that resolves to the entry point exports or `undefined` if not found.
-     */
-    private getEntryPointExports;
-    /**
-     * Retrieves the entry point for a given URL by determining the locale and mapping it to
-     * the appropriate application bundle.
-     *
-     * This method determines the appropriate entry point and locale for rendering the application by examining the URL.
-     * If there is only one entry point available, it is returned regardless of the URL.
-     * Otherwise, the method extracts a potential locale identifier from the URL and looks up the corresponding entry point.
-     *
-     * @param url - The URL of the request.
-     * @returns A promise that resolves to the entry point exports or `undefined` if not found.
-     */
-    private getEntryPointExportsForUrl;
-}
-
 /**
  * Function for handling HTTP requests in a web environment.
  *
@@ -1055,5 +908,5 @@ type RequestHandlerFunction = (request: Request) => Promise<Response | null> | n
  */
 declare function createRequestHandler(handler: RequestHandlerFunction): RequestHandlerFunction;
 
-export { AngularAppEngine, PrerenderFallback, RenderMode, createRequestHandler, provideServerRendering, withAppShell, withRoutes, InlineCriticalCssProcessor as ɵInlineCriticalCssProcessor, destroyAngularServerApp as ɵdestroyAngularServerApp, extractRoutesAndCreateRouteTree as ɵextractRoutesAndCreateRouteTree, getOrCreateAngularServerApp as ɵgetOrCreateAngularServerApp, getRoutesFromAngularRouterConfig as ɵgetRoutesFromAngularRouterConfig, setAngularAppEngineManifest as ɵsetAngularAppEngineManifest, setAngularAppManifest as ɵsetAngularAppManifest };
+export { PrerenderFallback, RenderMode, createRequestHandler, provideServerRendering, withAppShell, withRoutes, InlineCriticalCssProcessor as ɵInlineCriticalCssProcessor, destroyAngularServerApp as ɵdestroyAngularServerApp, extractRoutesAndCreateRouteTree as ɵextractRoutesAndCreateRouteTree, getOrCreateAngularServerApp as ɵgetOrCreateAngularServerApp, getRoutesFromAngularRouterConfig as ɵgetRoutesFromAngularRouterConfig, setAngularAppEngineManifest as ɵsetAngularAppEngineManifest, setAngularAppManifest as ɵsetAngularAppManifest };
 export type { RequestHandlerFunction, ServerRoute, ServerRouteClient, ServerRouteCommon, ServerRoutePrerender, ServerRoutePrerenderWithParams, ServerRouteServer };

package/node/index.d.ts

@@ -2,6 +2,7 @@ import { Type, ApplicationRef, StaticProvider } from '@angular/core';
 import { BootstrapContext } from '@angular/platform-browser';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import { Http2ServerRequest, Http2ServerResponse } from 'node:http2';
+import { AngularAppEngineOptions } from '../app-engine.js';
 
 interface CommonEngineOptions {
     /** A method that when invoked returns a promise that returns an `ApplicationRef` instance once resolved or an NgModule. */
@@ -10,6 +11,8 @@ interface CommonEngineOptions {
     providers?: StaticProvider[];
     /** Enable request performance profiling data collection and printing the results in the server console. */
     enablePerformanceProfiler?: boolean;
+    /** A set of hostnames that are allowed to access the server. */
+    allowedHosts?: readonly string[];
 }
 interface CommonEngineRenderOptions {
     /** A method that when invoked returns a promise that returns an `ApplicationRef` instance once resolved or an NgModule. */
@@ -38,6 +41,7 @@ declare class CommonEngine {
     private readonly templateCache;
     private readonly inlineCriticalCssProcessor;
     private readonly pageIsSSG;
+    private readonly allowedHosts;
     constructor(options?: CommonEngineOptions | undefined);
     /**
      * Render an HTML document for a specific URL with specified
@@ -51,6 +55,11 @@ declare class CommonEngine {
     private getDocument;
 }
 
+/**
+ * Options for the Angular Node.js server application engine.
+ */
+interface AngularNodeAppEngineOptions extends AngularAppEngineOptions {
+}
 /**
  * Angular server application engine.
  * Manages Angular server applications (including localized ones), handles rendering requests,
@@ -61,22 +70,40 @@ declare class CommonEngine {
  */
 declare class AngularNodeAppEngine {
     private readonly angularAppEngine;
-    constructor();
+    /**
+     * Creates a new instance of the Angular Node.js server application engine.
+     * @param options Options for the Angular Node.js server application engine.
+     */
+    constructor(options?: AngularNodeAppEngineOptions);
     /**
      * Handles an incoming HTTP request by serving prerendered content, performing server-side rendering,
      * or delivering a static file for client-side rendered routes based on the `RenderMode` setting.
      *
-     * This method adapts Node.js's `IncomingMessage` or `Http2ServerRequest`
+     * This method adapts Node.js's `IncomingMessage`, `Http2ServerRequest` or `Request`
      * to a format compatible with the `AngularAppEngine` and delegates the handling logic to it.
      *
-     * @param request - The incoming HTTP request (`IncomingMessage` or `Http2ServerRequest`).
+     * @param request - The incoming HTTP request (`IncomingMessage`, `Http2ServerRequest` or `Request`).
      * @param requestContext - Optional context for rendering, such as metadata associated with the request.
      * @returns A promise that resolves to the resulting HTTP response object, or `null` if no matching Angular route is found.
      *
      * @remarks A request to `https://www.example.com/page/index.html` will serve or render the Angular route
      * corresponding to `https://www.example.com/page`.
+     *
+     * @remarks
+     * To prevent potential Server-Side Request Forgery (SSRF), this function verifies the hostname
+     * of the `request.url` against a list of authorized hosts.
+     * If the hostname is not recognized and `allowedHosts` is not empty, a Client-Side Rendered (CSR) version of the
+     * page is returned otherwise a 400 Bad Request is returned.
+     *
+     * Resolution:
+     * Authorize your hostname by configuring `allowedHosts` in `angular.json` in:
+     * `projects.[project-name].architect.build.options.security.allowedHosts`.
+     * Alternatively, you can define the allowed hostname via the environment variable `process.env['NG_ALLOWED_HOSTS']`
+     * or pass it directly through the configuration options of `AngularNodeAppEngine`.
+     *
+     * For more information see: https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
      */
-    handle(request: IncomingMessage | Http2ServerRequest, requestContext?: unknown): Promise<Response | null>;
+    handle(request: IncomingMessage | Http2ServerRequest | Request, requestContext?: unknown): Promise<Response | null>;
 }
 
 /**
@@ -176,4 +203,4 @@ declare function createWebRequestFromNodeRequest(nodeRequest: IncomingMessage |
 declare function isMainModule(url: string): boolean;
 
 export { AngularNodeAppEngine, CommonEngine, createNodeRequestHandler, createWebRequestFromNodeRequest, isMainModule, writeResponseToNodeResponse };
-export type { CommonEngineOptions, CommonEngineRenderOptions, NodeRequestHandlerFunction };
+export type { AngularNodeAppEngineOptions, CommonEngineOptions, CommonEngineRenderOptions, NodeRequestHandlerFunction };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@angular/ssr",
-  "version": "20.3.15",
+  "version": "20.3.17",
   "description": "Angular server side rendering utilities",
   "type": "module",
   "license": "MIT",