fixup! feat(@angular/ssr): support the standard Forwarded header

alan-agius4 · alan-agius4 · commit b98634729b10 · 2026-06-23T07:54:48.000Z
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -297,21 +297,124 @@ export function parseForwardedHeader(
     return {};
   }
 
-  const firstElement = headerValue.split(',', 1)[0];
   const params: Record<string, string> = {};
-  const paramRegex = /([^\s;=]+)\s*=\s*("(?:[^"\\]|\\.)*"|[^;\s]*)/gi;
+  let inQuotes = false;
+  let escaped = false;
+  let currentKey = '';
+  let currentValue = '';
+  let isParsingValue = false;
+  let isKeyEnded = false;
+  let isParsingValueEnded = false;
+
+  for (const char of headerValue) {
+    if (escaped) {
+      escaped = false;
+      if (isParsingValue) {
+        currentValue += char;
+      } else {
+        currentKey += char;
+      }
+      continue;
+    }
+
+    if (char === '\\') {
+      if (inQuotes) {
+        escaped = true;
+      } else if (isParsingValue) {
+        currentValue += char;
+      } else {
+        currentKey += char;
+      }
+      continue;
+    }
+
+    if (char === '"') {
+      inQuotes = !inQuotes;
+      continue;
+    }
 
-  let match;
-  while ((match = paramRegex.exec(firstElement)) !== null) {
-    const key = match[1].toLowerCase();
-    let val = match[2];
+    if (inQuotes) {
+      if (isParsingValue) {
+        currentValue += char;
+      } else {
+        currentKey += char;
+      }
+      continue;
+    }
+
+    if (char === ',') {
+      addParam(currentKey, currentValue, isParsingValue, params);
+      break;
+    }
 
-    if (val[0] === '"' && val.at(-1) === '"') {
-      val = val.slice(1, -1).replace(/\\(.)/g, '$1');
+    if (char === ';') {
+      addParam(currentKey, currentValue, isParsingValue, params);
+      currentKey = '';
+      currentValue = '';
+      isParsingValue = false;
+      isKeyEnded = false;
+      isParsingValueEnded = false;
+      continue;
+    }
+
+    if (char === '=') {
+      if (!isParsingValue) {
+        isParsingValue = true;
+      } else {
+        currentValue += char;
+      }
+      continue;
     }
 
-    params[key] = val;
+    if (char === ' ' || char === '\t') {
+      if (isParsingValue) {
+        if (currentValue.length > 0) {
+          isParsingValueEnded = true;
+        }
+      } else if (currentKey.length > 0) {
+        isKeyEnded = true;
+      }
+      continue;
+    }
+
+    if (isParsingValue) {
+      if (!isParsingValueEnded) {
+        currentValue += char;
+      }
+    } else if (isKeyEnded) {
+      currentKey = char;
+      isKeyEnded = false;
+    } else {
+      currentKey += char;
+    }
+  }
+
+  if (currentKey || currentValue || isParsingValue) {
+    addParam(currentKey, currentValue, isParsingValue, params);
   }
 
   return params;
 }
+
+/**
+ * Helper function to add a parameter to the params object.
+ * @param key - The key to add.
+ * @param value - The value to add.
+ * @param hasValue - Whether the parameter has a value.
+ * @param params - The params object to add the parameter to.
+ */
+function addParam(
+  key: string,
+  value: string,
+  hasValue: boolean,
+  params: Record<string, string>,
+): void {
+  if (!hasValue) {
+    return;
+  }
+
+  const trimmedKey = key.trim().toLowerCase();
+  if (trimmedKey) {
+    params[trimmedKey] = value;
+  }
+}
diff --git a/packages/angular/ssr/test/utils/validation_spec.ts b/packages/angular/ssr/test/utils/validation_spec.ts
@@ -9,6 +9,7 @@
 import {
   getFirstHeaderValue,
   normalizeTrustProxyHeaders,
+  parseForwardedHeader,
   sanitizeRequestHeaders,
   validateRequest,
   validateUrl,
@@ -38,6 +39,99 @@ describe('Validation Utils', () => {
     });
   });
 
+  describe('parseForwardedHeader', () => {
+    it('should return an empty object for null, undefined, or empty string', () => {
+      expect(parseForwardedHeader(null)).toEqual({});
+      expect(parseForwardedHeader(undefined)).toEqual({});
+      expect(parseForwardedHeader('')).toEqual({});
+    });
+
+    it('should parse simple parameters correctly', () => {
+      expect(parseForwardedHeader('host=example.com;proto=https')).toEqual({
+        host: 'example.com',
+        proto: 'https',
+      });
+    });
+
+    it('should handle case-insensitivity of parameter names', () => {
+      expect(parseForwardedHeader('Host=example.com;PROTO=https')).toEqual({
+        host: 'example.com',
+        proto: 'https',
+      });
+    });
+
+    it('should handle whitespace around separators', () => {
+      expect(parseForwardedHeader('  host  =  example.com  ;  proto  =  https  ')).toEqual({
+        host: 'example.com',
+        proto: 'https',
+      });
+    });
+
+    it('should parse quoted strings correctly and remove outer quotes', () => {
+      expect(parseForwardedHeader('host="example.com";proto="https"')).toEqual({
+        host: 'example.com',
+        proto: 'https',
+      });
+    });
+
+    it('should handle escaped characters inside quoted strings', () => {
+      expect(parseForwardedHeader('host="example.com\\"escaped\\"";proto=https')).toEqual({
+        host: 'example.com"escaped"',
+        proto: 'https',
+      });
+    });
+
+    it('should handle semicolons inside quoted strings correctly', () => {
+      expect(parseForwardedHeader('host="example.com;with;semicolons";proto=https')).toEqual({
+        host: 'example.com;with;semicolons',
+        proto: 'https',
+      });
+    });
+
+    it('should handle commas inside quoted strings correctly without splitting the element', () => {
+      expect(parseForwardedHeader('host="example.com,with,commas";proto=https')).toEqual({
+        host: 'example.com,with,commas',
+        proto: 'https',
+      });
+    });
+
+    it('should only parse the first (leftmost) element in a comma-separated list', () => {
+      expect(
+        parseForwardedHeader('host=example.com;proto=https, for=192.0.2.60;proto=http'),
+      ).toEqual({
+        host: 'example.com',
+        proto: 'https',
+      });
+    });
+
+    it('should ignore parameters without values (no equals sign)', () => {
+      expect(parseForwardedHeader('host; proto=https')).toEqual({
+        proto: 'https',
+      });
+    });
+
+    it('should handle empty parameter values', () => {
+      expect(parseForwardedHeader('host=; proto=https')).toEqual({
+        host: '',
+        proto: 'https',
+      });
+    });
+
+    it('should treat spaces inside unquoted values as token terminators and ignore subsequent garbage', () => {
+      expect(parseForwardedHeader('host=example.com extra; proto=https')).toEqual({
+        host: 'example.com',
+        proto: 'https',
+      });
+    });
+
+    it('should treat spaces inside parameter names as token terminators and discard the invalid prefix', () => {
+      expect(parseForwardedHeader('ho st=value; proto=https')).toEqual({
+        st: 'value',
+        proto: 'https',
+      });
+    });
+  });
+
   describe('normalizeTrustProxyHeaders', () => {
     it('should return an empty set when input is undefined', () => {
       expect(normalizeTrustProxyHeaders(undefined)).toEqual(new Set());
