Skip to content

Limit configuration available publicly in config.json #5045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Aryakoste wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Limit configuration available publicly in config.json #5045

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
57ac262
remove SSR related configuration
Aryakoste Jan 27, 2026
c8dd3bb
added comment
Aryakoste Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion src/config/config.server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,23 @@ const buildBaseUrl = (config: ServerConfig): void => {
].join('');
};

/**
* Removes all server-side specific settings from the application configuration.
* This method is used to ensure the "assets/config.json" that provides runtime
* configuration to CSR (client side rendering) excludes these server-side keys.
*
* @param config the application configuration
*/
const removeServerSideConfig = (config: AppConfig): any => {
Copy link
Member

@tdonohue tdonohue Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Aryakoste : Please add an inline comment above this to describe why we're doing this. It could be something like this:

/**
 * Removes all server-side specific settings from the application configuration.
 * This method is used to ensure the "assets/config.json" that provides runtime
 * configuration to CSR (client side rendering) excludes these server-side keys.
 *
 * @param config  the application configuration
 */

const clientConfig = JSON.parse(JSON.stringify(config));
delete clientConfig.rest.ssrBaseUrl;
delete clientConfig.rest.hasSsrBaseUrl;
delete clientConfig.cache.serverSide;
delete clientConfig.ui.rateLimiter;
delete clientConfig.ui.useProxies;
return clientConfig;
};
Comment on lines +180 to +187
Copy link

@strawburster strawburster Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be inverted to only return client config properties (instead of deleting server properties)? In the case that a config property is added in the future without someone knowing about this vulnerability, it should default to not being in the client config.


/**
* Build app config with the following chain of override.
*
Expand Down Expand Up @@ -247,7 +264,8 @@ export const buildAppConfig = (destConfigPath?: string): AppConfig => {
buildBaseUrl(appConfig.rest);

if (isNotEmpty(destConfigPath)) {
writeFileSync(destConfigPath, JSON.stringify(appConfig, null, 2));
const clientConfig = removeServerSideConfig(appConfig);
writeFileSync(destConfigPath, JSON.stringify(clientConfig, null, 2));

console.log(`Angular ${bold('config.json')} file generated correctly at ${bold(destConfigPath)} \n`);
}
Expand Down
Loading