fix(@angular/ssr): decode x-forwarded-prefix before validation#32904
fix(@angular/ssr): decode x-forwarded-prefix before validation#32904alan-agius4 wants to merge 2 commits intoangular:mainfrom
Conversation
The `x-forwarded-prefix` header can be percent-encoded. Validating it without decoding can allow bypassing security checks if subsequent processors (such as the `URL` constructor or a browser) implicitly decode it. Key bypass scenarios addressed: - **Implicit Decoding by URL Parsers**: A regex check for a literal `..` might miss `%2e%2e`. However, if the prefix is later passed to a `URL` constructor, it will treat `%2e%2e` as `..`, climbing up a directory. - **Browser Role in Redirects**: If an un-decoded encoded path is sent in a `Location` header, the browser will decode it, leading to unintended navigation. - **Double Slash Bypass**: Checking for a literal `//` misses `%2f%2f`. URL parsers might treat leading double slashes as protocol-relative URLs, leading to Open Redirects if interpreted as a hostname. This change ensures the validation "speaks the same language" as the URL parsing system by decoding the prefix before running safety checks. It also introduces robust handling for malformed percent-encoding.
alan-agius4
added
action: review
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the security validation of the 'x-forwarded-prefix' header by decoding its value before performing regex checks. This change ensures that URL-encoded malicious path segments or prefixes are correctly identified. It also introduces error handling for malformed URI components and includes updated test cases to verify the new decoding and validation logic. I have no feedback to provide as there were no review comments.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request enhances the security validation of the x-forwarded-prefix header by decoding it before applying regex checks, which prevents potential bypasses using URL-encoded characters. It also introduces error handling for malformed URI components and expands the test suite. Feedback suggests further strengthening the tests by explicitly including additional encoded path segments such as %2e%2e and %2e to ensure comprehensive coverage.
alan-agius4
force-pushed
the
security-x-prefix
branch
from
d390083 to
642988a
Compare
1 participant
The
x-forwarded-prefixheader can be percent-encoded. Validating it without decoding can allow bypassing security checks if subsequent processors (such as theURLconstructor or a browser) implicitly decode it.Key bypass scenarios addressed:
..might miss%2e%2e. However, if the prefix is later passed to aURLconstructor, it will treat%2e%2eas.., climbing up a directory.Locationheader, the browser will decode it, leading to unintended navigation.//misses%2f%2f. URL parsers might treat leading double slashes as protocol-relative URLs, leading to Open Redirects if interpreted as a hostname.This change ensures the validation "speaks the same language" as the URL parsing system by decoding the prefix before running safety checks. It also introduces robust handling for malformed percent-encoding.