Skip to content

Update to latest Angular 20 and remove reliance on Host HTTP Header#5276

Open
tdonohue wants to merge 6 commits intoDSpace:mainfrom
tdonohue:update_angular_20
Open

Update to latest Angular 20 and remove reliance on Host HTTP Header#5276
tdonohue wants to merge 6 commits intoDSpace:mainfrom
tdonohue:update_angular_20

Conversation

@tdonohue
Copy link
Member

@tdonohue tdonohue commented Mar 11, 2026

References

  • Patches against Angular CVE-2026-27739 by updating to a patched version of Angular 20.x. As noted on mailing lists, sites are currently only protected by the proxy in front of DSpace.

Description

This PR implements two main changes:

  1. Updates us to Angular 20.3.17, which is patched against CVE-2026-27739 (First and third commits)
    • This requires passing a new allowedHosts setting to Angular SSR which must specify the list of trusted hostnames.
    • The existing environment.ui.baseUrl setting has been updated to allow sites to specify the public URL of their site. This value is then used to prepopulate the allowedHosts setting.
  2. Removes all usage of the Host HTTP Header, replacing it with using the environment.ui.baseUrl. Because this setting is now required, it's more secure then trusting the Host header. (Second commit)
    • This commit could be manually backported to 7.x.x and 8.x as an additional layer of protection to those releases (by removing all usage of Host HTTP Header in favor of the environment.ui.baseUrl configuration)

This PR should be backported to dspace-9_x as it also uses Angular 20.x.

Instructions for Reviewers

  1. With this PR, you MUST update your config.*.yml to add the ui.baseUrl: 
    ui:
  ...
 # Specify the public URL that this user interface responds to. This corresponds to the "dspace.ui.url" property in your backend's local.cfg.
 # SSR is only enabled when the client's "Host" HTTP header matches this baseUrl. The baseUrl is also used for redirects and SEO links (in robots.txt and sitemaps). 
 baseUrl: http://localhost:4000
  2. Build the UI in production mode (in order to enable SSR): e.g. npm run build:prod && npm run serve:ssr
  3. Verify that SSR functions properly with the ui.baseUrl set to your DSpace's public URL. You should see no errors in the SSR logs and the homepage & Community/Collection/Item pages should respond with Javascript disabled.
  4. Verify that SSR fails if you set ui.baseUrl to a different URL (e.g. https://my.dspace.org). This proves that Angular SSR is accurately validating the hostname via the allowedHosts parameter. You will see an error in the SSR logs that says something like this: 
    ERROR: URL with hostname "[Invalid-hostname]" is not allowed.Please provide a list of allowed hosts in the "allowedHosts" option in the "CommonEngine" constructor.
Error in server-side rendering (SSR)
Error details :  Error: URL with hostname "[Invalid-hostname]" is not allowed
...
Falling back to serving direct client-side rendering (CSR)
  5. The above can be tested also behind a proxy (Apache/Nginx) to verify no changes in behavior.

@tdonohue tdonohue added this to the 10.0 milestone Mar 11, 2026
@tdonohue tdonohue added dependencies Pull requests that update a dependency file high priority port to dspace-9_x This PR needs to be ported to `dspace-9_x` branch for next bug-fix release labels Mar 11, 2026
@tdonohue tdonohue added the security Security related fix label Mar 11, 2026
@tdonohue tdonohue force-pushed the update_angular_20 branch 2 times, most recently from 928c091 to b9d49f6 Compare March 11, 2026 22:18
kshepherd
kshepherd approved these changes Mar 12, 2026
View reviewed changes
Copy link
Member

@kshepherd kshepherd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 by inspection, looks great - i also like the angular config property (vs fetching direct from backend) for keeping our request overhead down. thanks @tdonohue

@github-project-automation github-project-automation bot moved this to 👍 Reviewer Approved in DSpace 10.0 Release Mar 12, 2026
@tdonohue tdonohue force-pushed the update_angular_20 branch from b9d49f6 to 7be4896 Compare March 12, 2026 13:44
@tdonohue tdonohue requested a review from artlowel March 12, 2026 15:18
artlowel
artlowel approved these changes Mar 12, 2026
View reviewed changes
Copy link
Member

@artlowel artlowel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tdonohue!

The code looks good, I don't see any issues using it, and I've verified with @kshepherd's python script that you can no longer reproduce the issue with this PR.

@tdonohue tdonohue mentioned this pull request Mar 12, 2026
Open
tdonohue added 4 commits March 12, 2026 16:48
@tdonohue
Ensure we are no longer using/trusting "Host" HTTP Header. Require se…
63908bb 
…tting existing environment.ui.baseUrl. Replace ServerHardRedirectService.getCurrentOrigin() with getBaseUrl() to read this setting.
@tdonohue
Add newly required "allowedHosts" setting for Angular, specifying the…
3d061ad 
… UI's hostname. This is now required for SSR to work.
@tdonohue
Update Docker Compose production script to specify UI's baseUrl as lo…
04f7498 
…calhost:4000. Override that default in our docker-deploy CI step as that requires 127.0.0.1
@tdonohue
Fix issue where ui.baseUrl cannot be overridden in environment variab…
65e7a9d 
…les because it's not listed in default-app-config.ts
@tdonohue tdonohue force-pushed the update_angular_20 branch from 7be4896 to 65e7a9d Compare March 12, 2026 21:49
@tdonohue
Copy link
Member Author

tdonohue commented Mar 12, 2026
edited
Loading

@artlowel and @kshepherd : Just a note, I had to push up another small modification to this PR to workaround a new bug that I've discovered in environment variable overrides. See #5279.

The reason this PR was failing the docker-deploy step within GitHub CI was that our Docker images were unable to override the default empty value of environment.ui.baseUrl via a DSPACE_UI_BASEURL environment variable (see docker-compose-dist.yml in this PR which sets that environment variable). Once I added this optional baseUrl setting to default-app-config.ts (in the latest commit to this PR) that bypassed the bug.

This doesn't change the PR significantly, but I wanted to point out the reason why I had to modify default-app-config.ts, since I was not expecting to have to do so.

@tdonohue
Copy link
Member Author

tdonohue commented Mar 12, 2026

Unfortunately, docker-deploy is still not working even though I've verified the bug described in #5279 (on my local machine). There's still some issue going on with environment variables in GitHub CI where GitHub isn't picking up my customizations to DSPACE_UI_BASEURL.

I'll have to continue debugging this tomorrow, but this is an odd issue. This PR works entirely on my local machine (including env variable overrides), but still is having issues in GitHub CI.

@kshepherd
Copy link
Member

kshepherd commented Mar 12, 2026

@tdonohue the SSR detection test also seems to be failing now (though the "start SSR" task succeeds")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kshepherd kshepherd kshepherd approved these changes

@artlowel artlowel artlowel approved these changes

Assignees

@tdonohue tdonohue

Labels

dependencies Pull requests that update a dependency file high priority port to dspace-9_x This PR needs to be ported to `dspace-9_x` branch for next bug-fix release security Security related fix

Projects

DSpace 10.0 Release
Status: 👍 Reviewer Approved

Milestone

10.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tdonohue @kshepherd @artlowel