Skip to content

fix(@angular/ssr): patch Headers.forEach in cloneRequestAndPatchHeaders#32834

Merged
alan-agius4 merged 1 commit intoangular:mainfrom
alan-agius4:foreach-header
Mar 26, 2026
Merged

fix(@angular/ssr): patch Headers.forEach in cloneRequestAndPatchHeaders#32834
alan-agius4 merged 1 commit intoangular:mainfrom
alan-agius4:foreach-header

Conversation

@alan-agius4
Copy link
Copy Markdown
Collaborator

@alan-agius4 alan-agius4 commented Mar 25, 2026
edited
Loading

This commit updates the cloneRequestAndPatchHeaders function to patch the Headers.forEach method. This ensures that host headers are validated when the application iterates over request headers using forEach, preventing potential host header injection attacks during header iteration.

A unit test has been added to validation_spec.ts to verify that forEach correctly triggers validation and throws an error for disallowed hosts.

@alan-agius4
fix(@angular/ssr): patch Headers.forEach in cloneRequestAndPatchHeaders
9c1bc30 
This commit updates the cloneRequestAndPatchHeaders function to patch the Headers.forEach method. This ensures that host headers are validated when the application iterates over request headers using forEach, preventing potential host header injection attacks during header iteration.

A unit test has been added to validation_spec.ts to verify that forEach correctly triggers validation and throws an error for disallowed hosts.
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances header validation within the cloneRequestAndPatchHeaders utility by patching the forEach method of the Headers object. This ensures that validateHeader is called for each header when forEach is used, preventing invalid headers from being processed. A new test case has been added to specifically verify this behavior, confirming that iterating over headers with forEach triggers the validation and correctly handles disallowed header values. There are no review comments to address.

@alan-agius4 alan-agius4 added the target: patch This PR is targeted for the next patch release label Mar 25, 2026
@alan-agius4 alan-agius4 requested a review from dgp1130 March 25, 2026 08:39
@alan-agius4 alan-agius4 added the action: review The PR is still awaiting reviews from at least one requested reviewer label Mar 25, 2026
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 25, 2026
@alan-agius4 alan-agius4 merged commit bcd99f9 into angular:main Mar 26, 2026
39 checks passed
@alan-agius4 alan-agius4 deleted the foreach-header branch March 26, 2026 12:35
@alan-agius4
Copy link
Copy Markdown
Collaborator Author

alan-agius4 commented Mar 26, 2026

This PR was merged into the repository. The changes were merged into the following branches:

@VenkatKwest
Copy link
Copy Markdown
Contributor

VenkatKwest commented Mar 30, 2026

Hi @alan-agius4 ,

I have a question regarding the real-world impact of this vulnerability. From my understanding, this bug bypasses the .get('host') validation if a developer iterates over the headers using req.headers.forEach().

However, I would assume developers typically only use forEach when they need to forward specific headers like Authorization, Cookies, etc. Moreover, the correct pre-validated Host information is usually already available directly on the generic request object created by Angular/Node.

``
const hostname =
getFirstHeaderValue(headers['x-forwarded-host']) ?? headers.host ?? headers[':authority'];

``

Given that, would a developer actually have any reason to try and manually pull the Host header out via forEach? I wouldn't think this is a widely used behavior by Angular developers. Could you clarify if there are common real-world use cases where developers were doing this and accidentally creating a vulnerability?

@alan-agius4
Copy link
Copy Markdown
Collaborator Author

alan-agius4 commented Mar 30, 2026

@VenkatKwest, in general I would not expect the forEach to be used that much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/ssr target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @VenkatKwest @dgp1130