From 8cb57fb11baebf1044a3ec1a1b4a3c3d311f6771 Mon Sep 17 00:00:00 2001 From: SkyZeroZx <73321943+SkyZeroZx@users.noreply.github.com> Date: Thu, 11 Jun 2026 17:59:32 -0500 Subject: [PATCH 1/2] fix(@angular/ssr): avoid caching non-SSG page lookups Only cache CommonEngine SSG lookup results after the target file is confirmed to be a prerendered SSG page. Missing pages and static files without the SSG marker can be derived from request URLs, so retaining those negative results allows attacker-controlled paths to grow the process cache without bound. --- .../angular/ssr/node/src/common-engine/common-engine.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/angular/ssr/node/src/common-engine/common-engine.ts b/packages/angular/ssr/node/src/common-engine/common-engine.ts index 0c97c20d891a..9654efcae99b 100644 --- a/packages/angular/ssr/node/src/common-engine/common-engine.ts +++ b/packages/angular/ssr/node/src/common-engine/common-engine.ts @@ -167,15 +167,15 @@ export class CommonEngine { if (pagePath === resolve(documentFilePath) || !(await exists(pagePath))) { // View matches with prerender path or file does not exist. - this.pageIsSSG.set(pagePath, false); - return undefined; } // Static file exists. const content = await fs.promises.readFile(pagePath, 'utf-8'); const isSSG = SSG_MARKER_REGEXP.test(content); - this.pageIsSSG.set(pagePath, isSSG); + if (isSSG) { + this.pageIsSSG.set(pagePath, true); + } return isSSG ? content : undefined; } From 4816780e40f3df6739d4a395d56ccd6d1eaec8bc Mon Sep 17 00:00:00 2001 From: SkyZeroZx <73321943+SkyZeroZx@users.noreply.github.com> Date: Fri, 12 Jun 2026 09:26:31 -0500 Subject: [PATCH 2/2] fixup! fix(@angular/ssr): avoid caching non-SSG page lookups --- packages/angular/ssr/node/src/common-engine/common-engine.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/angular/ssr/node/src/common-engine/common-engine.ts b/packages/angular/ssr/node/src/common-engine/common-engine.ts index 9654efcae99b..df64c79ce304 100644 --- a/packages/angular/ssr/node/src/common-engine/common-engine.ts +++ b/packages/angular/ssr/node/src/common-engine/common-engine.ts @@ -175,9 +175,10 @@ export class CommonEngine { const isSSG = SSG_MARKER_REGEXP.test(content); if (isSSG) { this.pageIsSSG.set(pagePath, true); + return content; } - return isSSG ? content : undefined; + return undefined; } private async renderApplication(opts: CommonEngineRenderOptions): Promise {