fix(@angular/ssr): validate host headers to prevent header-based SSRF

This change introduces strict validation for `Host`, `X-Forwarded-Host`, `X-Forwarded-Proto`, and `X-Forwarded-Port` headers in the Angular SSR request handling pipeline, including `CommonEngine` and `AngularAppEngine`.

Author: alan-agius4

goldens/public-api/angular/ssr/index.api.md

@@ -11,11 +11,17 @@ import { Type } from '@angular/core';
 
 // @public
 export class AngularAppEngine {
+    constructor(options?: AngularAppEngineOptions);
     handle(request: Request, requestContext?: unknown): Promise<Response | null>;
     static ɵallowStaticRouteRender: boolean;
     static ɵhooks: Hooks;
 }
 
+// @public
+export interface AngularAppEngineOptions {
+    allowedHosts?: readonly string[];
+}
+
 // @public
 export function createRequestHandler(handler: RequestHandlerFunction): RequestHandlerFunction;
 

goldens/public-api/angular/ssr/node/index.api.md

@@ -15,8 +15,12 @@ import { Type } from '@angular/core';
 
 // @public
 export class AngularNodeAppEngine {
-    constructor();
-    handle(request: IncomingMessage | Http2ServerRequest, requestContext?: unknown): Promise<Response | null>;
+    constructor(options?: AngularNodeAppEngineOptions);
+    handle(request: IncomingMessage | Http2ServerRequest | Request, requestContext?: unknown): Promise<Response | null>;
+}
+
+// @public
+export interface AngularNodeAppEngineOptions extends AngularAppEngineOptions {
 }
 
 // @public
@@ -27,6 +31,7 @@ export class CommonEngine {
 
 // @public (undocumented)
 export interface CommonEngineOptions {
+    allowedHosts?: readonly string[];
     bootstrap?: Type<{}> | ((context: BootstrapContext) => Promise<ApplicationRef>);
     enablePerformanceProfiler?: boolean;
     providers?: StaticProvider[];

packages/angular/build/src/builders/application/execute-build.ts

@@ -56,6 +56,7 @@ export async function executeBuild(
     verbose,
     colors,
     jsonLogs,
+    security,
   } = options;
 
   // TODO: Consider integrating into watch mode. Would require full rebuild on target changes.
@@ -263,7 +264,7 @@ export async function executeBuild(
   if (serverEntryPoint) {
     executionResult.addOutputFile(
       SERVER_APP_ENGINE_MANIFEST_FILENAME,
-      generateAngularServerAppEngineManifest(i18nOptions, baseHref),
+      generateAngularServerAppEngineManifest(i18nOptions, security.allowedHosts, baseHref),
       BuildOutputFileType.ServerRoot,
     );
   }

packages/angular/build/src/builders/application/options.ts

@@ -400,8 +400,9 @@ export async function normalizeOptions(
     }
   }
 
-  const autoCsp = options.security?.autoCsp;
+  const { autoCsp, allowedHosts = [] } = options.security ?? {};
   const security = {
+    allowedHosts,
     autoCsp: autoCsp
       ? {
           unsafeEval: autoCsp === true ? false : !!autoCsp.unsafeEval,

packages/angular/build/src/builders/application/schema.json

@@ -52,6 +52,14 @@
       "type": "object",
       "additionalProperties": false,
       "properties": {
+        "allowedHosts": {
+          "description": "A list of hostnames that are allowed to access the server-side application. For more information, see https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.",
+          "type": "array",
+          "uniqueItems": true,
+          "items": {
+            "type": "string"
+          }
+        },
         "autoCsp": {
           "description": "Enables automatic generation of a hash-based Strict Content Security Policy (https://web.dev/articles/strict-csp#choose-hash) based on scripts in index.html. Will default to true once we are out of experimental/preview phases.",
           "default": false,

packages/angular/build/src/builders/dev-server/vite-server.ts

@@ -113,7 +113,16 @@ export async function* serveWithVite(
   }
 
   // Disable auto CSP.
+  const allowedHosts = Array.isArray(serverOptions.allowedHosts)
+    ? [...serverOptions.allowedHosts]
+    : [];
+
+  // Always allow the dev server host
+  allowedHosts.push(serverOptions.host);
+
   browserOptions.security = {
+    allowedHosts,
+    // Disable auto CSP.
     autoCsp: false,
   };
 

packages/angular/build/src/utils/server-rendering/manifest.ts

@@ -53,11 +53,13 @@ function escapeUnsafeChars(str: string): string {
  *
  * @param i18nOptions - The internationalization options for the application build. This
  * includes settings for inlining locales and determining the output structure.
+ * @param allowedHosts - A list of hosts that are allowed to access the server-side application.
  * @param baseHref - The base HREF for the application. This is used to set the base URL
  * for all relative URLs in the application.
  */
 export function generateAngularServerAppEngineManifest(
   i18nOptions: NormalizedApplicationBuildOptions['i18nOptions'],
+  allowedHosts: string[],
   baseHref: string | undefined,
 ): string {
   const entryPoints: Record<string, string> = {};
@@ -84,6 +86,7 @@ export function generateAngularServerAppEngineManifest(
   const manifestContent = `
 export default {
   basePath: '${basePath}',
+  allowedHosts: ${JSON.stringify(allowedHosts, undefined, 2)},
   supportedLocales: ${JSON.stringify(supportedLocales, undefined, 2)},
   entryPoints: {
     ${Object.entries(entryPoints)

packages/angular/build/src/utils/server-rendering/prerender.ts

@@ -225,6 +225,9 @@ async function renderPages(
       hasSsrEntry: !!outputFilesForWorker['server.mjs'],
     } as RenderWorkerData,
     execArgv: workerExecArgv,
+    env: {
+      'NG_ALLOWED_HOSTS': 'localhost',
+    },
   });
 
   try {
@@ -337,6 +340,9 @@ async function getAllRoutes(
       hasSsrEntry: !!outputFilesForWorker['server.mjs'],
     } as RoutesExtractorWorkerData,
     execArgv: workerExecArgv,
+    env: {
+      'NG_ALLOWED_HOSTS': 'localhost',
+    },
   });
 
   try {

packages/angular/ssr/BUILD.bazel

@@ -20,7 +20,7 @@ ts_project(
     ),
     args = [
         "--lib",
-        "dom,es2020",
+        "dom.iterable,dom,es2022",
     ],
     data = [
         "//packages/angular/ssr/third_party/beasties:beasties_bundled",

packages/angular/ssr/node/public_api.ts

@@ -12,7 +12,7 @@ export {
   type CommonEngineOptions,
 } from './src/common-engine/common-engine';
 
-export { AngularNodeAppEngine } from './src/app-engine';
+export { AngularNodeAppEngine, type AngularNodeAppEngineOptions } from './src/app-engine';
 
 export { createNodeRequestHandler, type NodeRequestHandlerFunction } from './src/handler';
 export { writeResponseToNodeResponse } from './src/response';