fix(core): avoid caching missing locale data#69345
Conversation
6a687a3 to
f92704c
Compare
Only cache locale data loaded from the global locale registry when an actual locale entry is found. This prevents attacker-controlled missing locale identifiers from being retained indefinitely in SSR when locale lookup falls back to a parent locale or the built-in English locale, avoiding unbounded process memory growth in locale-aware pipes and formatters.
f92704c to
ea8277a
Compare
|
For visibility whlist this change is good, this IMHO falls under “hardening” and doesn’t warrant to be backported, reason being is that if the API are used as intended and documented, unknown locales in SSR will bootstrap the app with the configured default locale. Unknown locales are never passed to Angular. |
Theoretically, the argument could come from a queryParams or a dynamic property (which I don't think would be unusual, as subpath or query in general is standard), and if it uses locale directly without any sanitization (which as a user I would think should be safe), I would consider it a security problem. @Component({
imports: [DecimalPipe],
template: `
<p>{{ amount | number: '1.2-2' : locale }}</p>
`,
})
export class Locale {
private route = inject(ActivatedRoute);
amount = 10000;
locale = this.route.snapshot.queryParamMap.get('locale') ?? 'en-US';
}On the other hand, I'm not very familiar with internationalization, but I don't think there was any documentation indicating that doing this wasn't recommended (nor would I expect it to cause a problem in SSR if that were the case). |
Only cache locale data loaded from the global locale registry when an actual locale entry is found.
This prevents attacker-controlled missing locale identifiers from being retained indefinitely when locale lookup falls back to a parent locale or the built-in English locale, avoiding unbounded memory growth in locale-aware pipes and formatters.
I think this can be classified like GHSA-48r7-hpm6-gfxm