fix: reject port in host header to prevent SSR SSRF bypass

chupaohong · chupaohong · commit 7e010898f5d8 · 2026-04-10T19:15:07.000+07:00
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -224,7 +224,12 @@ function verifyHostAllowed(
     throw new Error(`Header "${headerName}" contains an invalid value and cannot be parsed.`);
   }
 
-  const { hostname } = new URL(url);
+  const { hostname, port } = new URL(url);
+  if (port) {
+    throw new Error(
+      `Header "${headerName}" with value "${value}" contains a port and is not allowed.`,
+    );
+  }
   if (!isHostAllowed(hostname, allowedHosts)) {
     throw new Error(`Header "${headerName}" with value "${value}" is not allowed.`);
   }

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,12 @@ function verifyHostAllowed(`
`224`	`224`	throw new Error(`Header "${headerName}" contains an invalid value and cannot be parsed.`);
`225`	`225`	`}`
`226`	`226`
`227`		`- const { hostname } = new URL(url);`
	`227`	`+ const { hostname, port } = new URL(url);`
	`228`	`+ if (port) {`
	`229`	`+ throw new Error(`
	`230`	+ `Header "${headerName}" with value "${value}" contains a port and is not allowed.`,
	`231`	`+ );`
	`232`	`+ }`
`228`	`233`	`if (!isHostAllowed(hostname, allowedHosts)) {`
`229`	`234`	throw new Error(`Header "${headerName}" with value "${value}" is not allowed.`);
`230`	`235`	`}`