fix(@angular/ssr): avoid caching non-SSG page lookups

Only cache CommonEngine SSG lookup results after the target file is
confirmed to be a prerendered SSG page.

Missing pages and static files without the SSG marker can be derived from
request URLs, so retaining those negative results allows attacker-controlled
paths to grow the process cache without bound.

Author: SkyZeroZx

packages/angular/ssr/node/src/common-engine/common-engine.ts

@@ -167,15 +167,15 @@ export class CommonEngine {
 
     if (pagePath === resolve(documentFilePath) || !(await exists(pagePath))) {
       // View matches with prerender path or file does not exist.
-      this.pageIsSSG.set(pagePath, false);
-
       return undefined;
     }
 
     // Static file exists.
     const content = await fs.promises.readFile(pagePath, 'utf-8');
     const isSSG = SSG_MARKER_REGEXP.test(content);
-    this.pageIsSSG.set(pagePath, isSSG);
+    if (isSSG) {
+      this.pageIsSSG.set(pagePath, true);
+    }
 
     return isSSG ? content : undefined;
   }