Skip to content

Update to latest Angular 20 and remove reliance on Host HTTP Header#5276

Open
tdonohue wants to merge 4 commits intoDSpace:mainfrom
tdonohue:update_angular_20
Open

Update to latest Angular 20 and remove reliance on Host HTTP Header#5276
tdonohue wants to merge 4 commits intoDSpace:mainfrom
tdonohue:update_angular_20

Conversation

@tdonohue
Copy link
Member

@tdonohue tdonohue commented Mar 11, 2026

References

  • Patches against Angular CVE-2026-27739 by updating to a patched version of Angular 20.x. As noted on mailing lists, sites are currently only protected by the proxy in front of DSpace.

Description

This PR implements two main changes:

  1. Updates us to Angular 20.3.17, which is patched against CVE-2026-27739 (First and third commits)
    • This requires passing a new allowedHosts setting to Angular SSR which must specify the list of trusted hostnames.
    • The existing environment.ui.baseUrl setting has been updated to allow sites to specify the public URL of their site. This value is then used to prepopulate the allowedHosts setting.
  2. Removes all usage of the Host HTTP Header, replacing it with using the environment.ui.baseUrl. Because this setting is now required, it's more secure then trusting the Host header. (Second commit)
    • This commit could be manually backported to 7.x.x and 8.x as an additional layer of protection to those releases (by removing all usage of Host HTTP Header in favor of the environment.ui.baseUrl configuration)

This PR should be backported to dspace-9_x as it also uses Angular 20.x.

Instructions for Reviewers

  1. With this PR, you MUST update your config.*.yml to add the ui.baseUrl: 
    ui:
  ...
 # Specify the public URL that this user interface responds to. This corresponds to the "dspace.ui.url" property in your backend's local.cfg.
 # SSR is only enabled when the client's "Host" HTTP header matches this baseUrl. The baseUrl is also used for redirects and SEO links (in robots.txt and sitemaps). 
 baseUrl: http://localhost:4000
  2. Build the UI in production mode (in order to enable SSR): e.g. npm run build:prod && npm run serve:ssr
  3. Verify that SSR functions properly with the ui.baseUrl set to your DSpace's public URL. You should see no errors in the SSR logs and the homepage & Community/Collection/Item pages should respond with Javascript disabled.
  4. Verify that SSR fails if you set ui.baseUrl to a different URL (e.g. https://my.dspace.org). This proves that Angular SSR is accurately validating the hostname via the allowedHosts parameter. You will see an error in the SSR logs that says something like this: 
    ERROR: URL with hostname "[Invalid-hostname]" is not allowed.Please provide a list of allowed hosts in the "allowedHosts" option in the "CommonEngine" constructor.
Error in server-side rendering (SSR)
Error details :  Error: URL with hostname "[Invalid-hostname]" is not allowed
...
Falling back to serving direct client-side rendering (CSR)
  5. The above can be tested also behind a proxy (Apache/Nginx) to verify no changes in behavior.

@tdonohue tdonohue added this to the 10.0 milestone Mar 11, 2026
@tdonohue tdonohue added dependencies Pull requests that update a dependency file high priority port to dspace-9_x This PR needs to be ported to `dspace-9_x` branch for next bug-fix release labels Mar 11, 2026
@tdonohue tdonohue added the security Security related fix label Mar 11, 2026
@tdonohue tdonohue force-pushed the update_angular_20 branch from 46baa68 to 49f6c7e Compare March 11, 2026 22:11
tdonohue added 3 commits March 11, 2026 17:18
@tdonohue
Ensure we are no longer using/trusting "Host" HTTP Header. Require se…
48b872b 
…tting existing environment.ui.baseUrl. Replace ServerHardRedirectService.getCurrentOrigin() with getBaseUrl() to read this setting.
@tdonohue
Add newly required "allowedHosts" setting for Angular, specifying the…
c7ad151 
… UI's hostname. This is now required for SSR to work.
@tdonohue
Update Docker production mode image to specify UI's baseUrl
b9d49f6
@tdonohue tdonohue force-pushed the update_angular_20 branch from 928c091 to b9d49f6 Compare March 11, 2026 22:18
kshepherd
kshepherd approved these changes Mar 12, 2026
View reviewed changes
Copy link
Member

@kshepherd kshepherd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 by inspection, looks great - i also like the angular config property (vs fetching direct from backend) for keeping our request overhead down. thanks @tdonohue

@github-project-automation github-project-automation bot moved this to 👍 Reviewer Approved in DSpace 10.0 Release Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kshepherd kshepherd kshepherd approved these changes

Assignees

@tdonohue tdonohue

Labels

dependencies Pull requests that update a dependency file high priority port to dspace-9_x This PR needs to be ported to `dspace-9_x` branch for next bug-fix release security Security related fix

Projects

DSpace 10.0 Release
Status: 👍 Reviewer Approved

Milestone

10.0

Development

Successfully merging this pull request may close these issues.

2 participants

@tdonohue @kshepherd