Skip to content

fix(@angular/ssr): validate decoded x-forwarded-prefix before prefix checks#32814

Closed
artahir-dev wants to merge 1 commit intoangular:mainfrom
artahir-dev:fix/ssr-validate-decoded-forwarded-prefix
Closed

fix(@angular/ssr): validate decoded x-forwarded-prefix before prefix checks#32814
artahir-dev wants to merge 1 commit intoangular:mainfrom
artahir-dev:fix/ssr-validate-decoded-forwarded-prefix

Conversation

@artahir-dev
Copy link

@artahir-dev artahir-dev commented Mar 21, 2026

PR Checklist

Please check to confirm your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

What is the current behavior?

X-Forwarded-Prefix is validated before decoding. In practice that means encoded unsafe values can pass the regex check and only become unsafe later when decoded in SSR URL handling.

Issue Number: N/A

What is the new behavior?

X-Forwarded-Prefix is decoded first during validation. If decoding fails, request validation now returns a clear error for invalid percent-encoding. The existing prefix safety checks are then applied to the decoded value.

Regression tests were added to cover encoded bypass attempts and malformed encoded prefixes.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

This change is intentionally scoped to header validation only.

@google-cla
Copy link

google-cla bot commented Mar 21, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 21, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a security vulnerability by ensuring the x-forwarded-prefix header is URL-decoded before validation checks are applied. This prevents potential bypasses using percent-encoded characters. The change is implemented correctly in packages/angular/ssr/src/utils/validation.ts, including proper error handling for malformed encoding. The accompanying tests in packages/angular/ssr/test/utils/validation_spec.ts are thorough, covering both encoded bypass attempts and invalid encoding sequences. The changes look good and effectively mitigate the described issue.

@artahir-dev
Copy link
Author

artahir-dev commented Mar 21, 2026
edited
Loading

@alan-agius4 @securityMB @josephperrott @AndrewKushnir @dgp1130

Closing this pull request as the issue has been reported through the appropriate private disclosure channel.

Tracked here:
https://issuetracker.google.com/issues/494903985

Further coordination will continue there to ensure proper handling and responsible disclosure.

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area: @angular/ssr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@artahir-dev