@angular/ssr 20.3.16 → 20.3.17

package/fesm2022/ssr.mjs

@@ -1,3 +1,4 @@
+import { validateRequest, cloneRequestAndPatchHeaders } from './validation.mjs';
 import { ɵConsole as _Console, ApplicationRef, REQUEST, InjectionToken, provideEnvironmentInitializer, inject, makeEnvironmentProviders, ɵENABLE_ROOT_COMPONENT_BOOTSTRAP as _ENABLE_ROOT_COMPONENT_BOOTSTRAP, Compiler, createEnvironmentInjector, EnvironmentInjector, runInInjectionContext, ɵresetCompiledComponents as _resetCompiledComponents, REQUEST_CONTEXT, RESPONSE_INIT, LOCALE_ID } from '@angular/core';
 import { platformServer, INITIAL_CONFIG, ɵSERVER_CONTEXT as _SERVER_CONTEXT, ɵrenderInternal as _renderInternal, provideServerRendering as provideServerRendering$1 } from '@angular/platform-server';
 import { ActivatedRoute, Router, ROUTES, ɵloadChildren as _loadChildren } from '@angular/router';
@@ -216,24 +217,26 @@ function addTrailingSlash(url) {
  * ```
  */
 function joinUrlParts(...parts) {
-    const normalizeParts = [];
+    const normalizedParts = [];
     for (const part of parts) {
         if (part === '') {
             // Skip any empty parts
             continue;
         }
-        let normalizedPart = part;
-        if (part[0] === '/') {
-            normalizedPart = normalizedPart.slice(1);
+        let start = 0;
+        let end = part.length;
+        // Use "Pointers" to avoid intermediate slices
+        while (start < end && part[start] === '/') {
+            start++;
         }
-        if (part[part.length - 1] === '/') {
-            normalizedPart = normalizedPart.slice(0, -1);
+        while (end > start && part[end - 1] === '/') {
+            end--;
         }
-        if (normalizedPart !== '') {
-            normalizeParts.push(normalizedPart);
+        if (start < end) {
+            normalizedParts.push(part.slice(start, end));
         }
     }
-    return addLeadingSlash(normalizeParts.join('/'));
+    return addLeadingSlash(normalizedParts.join('/'));
 }
 /**
  * Strips `/index.html` from the end of a URL's path, if present.
@@ -2242,6 +2245,21 @@ class AngularServerApp {
         }
         return html;
     }
+    /**
+     * Serves the client-side version of the application.
+     * TODO(alanagius): Remove this method in version 22.
+     * @internal
+     */
+    async serveClientSidePage() {
+        const { manifest: { locale }, assets, } = this;
+        const html = await assets.getServerAsset('index.csr.html').text();
+        return new Response(html, {
+            headers: new Headers({
+                'Content-Type': 'text/html;charset=UTF-8',
+                ...(locale !== undefined ? { 'Content-Language': locale } : {}),
+            }),
+        });
+    }
 }
 let angularServerApp;
 /**
@@ -2517,6 +2535,10 @@ class AngularAppEngine {
      * The manifest for the server application.
      */
     manifest = getAngularAppEngineManifest();
+    /**
+     * A set of allowed hostnames for the server application.
+     */
+    allowedHosts;
     /**
      * A map of supported locales from the server application's manifest.
      */
@@ -2525,6 +2547,13 @@ class AngularAppEngine {
      * A cache that holds entry points, keyed by their potential locale string.
      */
     entryPointsCache = new Map();
+    /**
+     * Creates a new instance of the Angular server application engine.
+     * @param options Options for the Angular server application engine.
+     */
+    constructor(options) {
+        this.allowedHosts = new Set([...(options?.allowedHosts ?? []), ...this.manifest.allowedHosts]);
+    }
     /**
      * Handles an incoming HTTP request by serving prerendered content, performing server-side rendering,
      * or delivering a static file for client-side rendered routes based on the `RenderMode` setting.
@@ -2535,11 +2564,35 @@ class AngularAppEngine {
      *
      * @remarks A request to `https://www.example.com/page/index.html` will serve or render the Angular route
      * corresponding to `https://www.example.com/page`.
+     *
+     * @remarks
+     * To prevent potential Server-Side Request Forgery (SSRF), this function verifies the hostname
+     * of the `request.url` against a list of authorized hosts.
+     * If the hostname is not recognized and `allowedHosts` is not empty, a Client-Side Rendered (CSR) version of the
+     * page is returned otherwise a 400 Bad Request is returned.
+     * Resolution:
+     * Authorize your hostname by configuring `allowedHosts` in `angular.json` in:
+     * `projects.[project-name].architect.build.options.security.allowedHosts`.
+     * Alternatively, you pass it directly through the configuration options of `AngularAppEngine`.
+     *
+     * For more information see: https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
      */
     async handle(request, requestContext) {
-        const serverApp = await this.getAngularServerAppForRequest(request);
+        const allowedHost = this.allowedHosts;
+        try {
+            validateRequest(request, allowedHost);
+        }
+        catch (error) {
+            return this.handleValidationError(error, request);
+        }
+        // Clone request with patched headers to prevent unallowed host header access.
+        const { request: securedRequest, onError: onHeaderValidationError } = cloneRequestAndPatchHeaders(request, allowedHost);
+        const serverApp = await this.getAngularServerAppForRequest(securedRequest);
         if (serverApp) {
-            return serverApp.handle(request, requestContext);
+            return Promise.race([
+                onHeaderValidationError.then((error) => this.handleValidationError(error, securedRequest)),
+                serverApp.handle(securedRequest, requestContext),
+            ]);
         }
         if (this.supportedLocales.length > 1) {
             // Redirect to the preferred language if i18n is enabled.
@@ -2645,6 +2698,37 @@ class AngularAppEngine {
         const potentialLocale = getPotentialLocaleIdFromUrl(url, basePath);
         return this.getEntryPointExports(potentialLocale) ?? this.getEntryPointExports('');
     }
+    /**
+     * Handles validation errors by logging the error and returning an appropriate response.
+     *
+     * @param error - The validation error to handle.
+     * @param request - The HTTP request that caused the validation error.
+     * @returns A promise that resolves to a `Response` object with a 400 status code if allowed hosts are configured,
+     * or `null` if allowed hosts are not configured (in which case the request is served client-side).
+     */
+    async handleValidationError(error, request) {
+        const isAllowedHostConfigured = this.allowedHosts.size > 0;
+        const errorMessage = error.message;
+        // eslint-disable-next-line no-console
+        console.error(`ERROR: Bad Request ("${request.url}").\n` +
+            errorMessage +
+            (isAllowedHostConfigured
+                ? ''
+                : '\nFalling back to client side rendering. This will become a 400 Bad Request in a future major version.') +
+            '\n\nFor more information, see https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf');
+        if (isAllowedHostConfigured) {
+            // Allowed hosts has been configured incorrectly, thus we can return a 400 bad request.
+            return new Response(errorMessage, {
+                status: 400,
+                statusText: 'Bad Request',
+                headers: { 'Content-Type': 'text/plain' },
+            });
+        }
+        // Fallback to CSR to avoid a breaking change.
+        // TODO(alanagius): Return a 400 and remove this fallback in the next major version (v22).
+        const serverApp = await this.getAngularServerAppForRequest(request);
+        return serverApp?.serveClientSidePage() ?? null;
+    }
 }
 
 /**