Astro SSR node adapter returns (500 Internal Server Error) when bad x-forwarded-host is passed

[JLarky]

Astro Info

Astro                    v5.4.2
Node                     v20.17.0
System                   macOS (arm64)
Package Manager          unknown
Output                   static
Adapter                  @astrojs/node
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

1. clone https://github.com/JLarky/astro-examples (it was created from empty astro + node ssr)
2. cd astro-node-ssr-bug
3. npm install
4. in one terminal npm run build && npm run preview
5. in another curl http://localhost:4321/test -H "x-forwarded-host: :123" (or anything else that isn't valid value). Note the /test because it will work fine with /

error happens because here url is created with string concat instead of doing something like url.hostname = hostname https://github.com/withastro/astro/blob/main/packages/astro/src/core/app/node.ts#L90

Just to explain backstory: we are using Astro on a website that gets periodic security scans and part of that scans includes sending core that they hope can be executed, the end result is that the header contains invalid strings like {{echo stuff}} instead of real hostnames

What's the expected result?

wrong value of x-forwarded-host should be ignored

Link to Minimal Reproducible Example

https://github.com/JLarky/astro-examples/tree/main/astro-node-ssr-bug

Participation

• I am willing to submit a pull request for this issue.