Headline
CVE-2023-28444: Release v15.1.0 · kyubisation/angular-server-side-configuration
angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. This vulnerability has been mitigated in version 15.1.0, by adding an option searchPattern which restricts the detection file range by default. As a workaround, manually edit or create ngssc.json or run script after ngssc.json generation.
Features
- add searchPattern as an option and restrict default search pattern (#75) (d701f51)
Bug Fixes
- use correct path for environment files in ng-add (421b3ff)
Security Notice
With the change in version 15 to search all files for environment variables, a potential information disclosure vulnerability was introduced, as unintended environment variables might be exposed.
You might be affected, if you use environment variables in your angular.json workspace that expose application internals (like used services/tools) or secrets that are also available on the deployed environment (e.g. a monorepo that also contains a Node.js backend, which is deployed in the same system/container/pod as the frontend bundle).
This should have little to no impact, if you only have a simple angular.json workspace without a backend component.
With 15.1 this risk is mitigated, as the lookup path is restricted by adding an option searchPattern which defaults to {sourceRoot}/**/!(server).ts (only search sourceRoot of the related angular.json project and exclude files with server in the name).
Full Changelog: v15.0.2…v15.1.0
Related news
### Impact angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. ### Patches Vulnerability has been mitigated in 15.1.0, by adding an option `searchPattern` which restricts the detection file range by default. ```bash # Update vi...