warn about missing SSRF protection config in angular v22#10523
warn about missing SSRF protection config in angular v22#10523leoortizz wants to merge 4 commits into
Conversation
Angular 22 enabled strict SSRF protection on its SSR engine. Without explicit configuration, Firebase Hosting SSR functions will return errors due to rotating Cloud Run hostnames. - Add security pre-flight check for Angular 22 SSR builds - Detect missing `security.allowedHosts` in angular.json - Detect missing `trustProxyHeaders` in server entry point - Surface cohesive, indented warnings with links to official docs - Add unit tests
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements a security pre-flight check for Angular 22 SSR projects to ensure they are correctly configured for Firebase Hosting. It adds logic to detect missing allowedHosts and trustProxyHeaders settings, which are necessary for SSR to work with Cloud Run's rotating hostnames. Feedback from the review focuses on improving the accuracy of configuration detection through more specific regex patterns, optimizing build performance by eliminating redundant context resolution, and increasing robustness by dynamically identifying the server entry point from project metadata instead of relying on hardcoded file paths.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a security pre-flight check for Angular 22 SSR deployments on Firebase Hosting. It adds logic to detect missing security.allowedHosts and trustProxyHeaders configurations, which are required for strict SSRF protection in Angular 22. The implementation includes new utility functions in src/frameworks/angular/utils.ts and comprehensive unit tests in src/frameworks/angular/utils.spec.ts. Feedback was provided regarding the robustness of the regex patterns used to detect configuration in the server entry file, as they may currently match occurrences within comments.
|
|
||
| const declared = opts.buildOptionsAllowedHosts ?? []; | ||
| const serverHasAllowedHosts = | ||
| !!opts.serverEntrySource && /\ballowedHosts\s*[:=]/.test(opts.serverEntrySource); |
There was a problem hiding this comment.
The regex \ballowedHosts\s*[:=] might produce false positives if the string appears within a comment (e.g., // allowedHosts: []). While this is a best-effort check, consider a slightly more restrictive pattern or accepting that manual configuration in comments might suppress the warning.
| } | ||
|
|
||
| const trustProxyHeadersMissing = | ||
| !opts.serverEntrySource || !/\btrustProxyHeaders\s*[:=]/.test(opts.serverEntrySource); |
There was a problem hiding this comment.
Similar to allowedHosts, the regex for trustProxyHeaders could match occurrences inside comments. Given the importance of this security configuration for Angular v22 SSR on Firebase, ensuring the detection is as robust as possible is recommended.
2 participants
Description
Angular 22 enables strict SSR host validation by default. On Firebase Hosting Web Frameworks, SSR runs on Cloud Run behind a proxy with rotating hostnames, so without an explicit allowed-hosts list and trusted proxy headers the SSR responses start failing after deploy — a problem that never shows up locally and is hard to diagnose.
This PR adds a build-time pre-flight check for Angular 22 SSR projects. When the required security configuration is missing, it prints an actionable warning (with links to the official Angular docs) listing only the pieces that need fixing. The check is best-effort and informational — it never blocks or fails the build, and it does nothing for older Angular versions, non-SSR apps, or already-configured projects.
Scenarios Tested
firebase deploy
Sample Commands