fixup! fix(@angular/ssr): prevent open redirect via X-Forwarded-Prefix header

alan-agius4 · alan-agius4 · commit 0755920bef5c · 2026-02-23T09:04:10.000Z
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -29,7 +29,7 @@ const PATH_SEPARATOR_REGEX = /[/\\]/;
 /**
  * Regular expression to validate that the prefix is valid.
  */
-const INVALID_PREFIX_REGEX = /^[/\\]{2}/;
+const INVALID_PREFIX_REGEX = /^[/\\]{2}|(?:^|[/\\])\.\.?(?:[/\\]|$)/;
 
 /**
  * Extracts the first value from a multi-value header string.
@@ -213,6 +213,8 @@ function validateHeaders(request: Request, allowedHosts: ReadonlySet<string>): v
 
   const xForwardedPrefix = getFirstHeaderValue(headers.get('x-forwarded-prefix'));
   if (xForwardedPrefix && INVALID_PREFIX_REGEX.test(xForwardedPrefix)) {
-    throw new Error('Header "x-forwarded-prefix" must not start with multiple "/" or "\\".');
+    throw new Error(
+      'Header "x-forwarded-prefix" must not start with multiple "/" or "\\" or contain ".", ".." path segments.',
+    );
   }
 }
diff --git a/packages/angular/ssr/test/utils/validation_spec.ts b/packages/angular/ssr/test/utils/validation_spec.ts
@@ -137,7 +137,58 @@ describe('Validation Utils', () => {
 
         expect(() => validateRequest(request, allowedHosts))
           .withContext(`Prefix: "${prefix}"`)
-          .toThrowError('Header "x-forwarded-prefix" must not start with multiple "/" or "\\".');
+          .toThrowError(
+            'Header "x-forwarded-prefix" must not start with multiple "/" or "\\" or contain ".", ".."  path segments.',
+          );
+      }
+    });
+
+    it('should throw error if x-forwarded-prefix contains dot segments', () => {
+      const inputs = [
+        '/./',
+        '/../',
+        '/foo/./bar',
+        '/foo/../bar',
+        '/.',
+        '/..',
+        './',
+        '../',
+        '.\\',
+        '..\\',
+        '/foo/.\\bar',
+        '/foo/..\\bar',
+        '.',
+        '..',
+      ];
+
+      for (const prefix of inputs) {
+        const request = new Request('https://example.com', {
+          headers: {
+            'x-forwarded-prefix': prefix,
+          },
+        });
+
+        expect(() => validateRequest(request, allowedHosts))
+          .withContext(`Prefix: "${prefix}"`)
+          .toThrowError(
+            'Header "x-forwarded-prefix" must not start with multiple "/" or "\\" or contain ".", ".."  path segments.',
+          );
+      }
+    });
+
+    it('should validate x-forwarded-prefix with valid dot usage', () => {
+      const inputs = ['/foo.bar', '/foo.bar/baz', '/v1.2', '/.well-known'];
+
+      for (const prefix of inputs) {
+        const request = new Request('https://example.com', {
+          headers: {
+            'x-forwarded-prefix': prefix,
+          },
+        });
+
+        expect(() => validateRequest(request, allowedHosts))
+          .withContext(`Prefix: "${prefix}"`)
+          .not.toThrow();
       }
     });
   });
