Skip to content

Commit

Permalink
ClientIP: check every proxy for trustiness (#2844)
Browse files Browse the repository at this point in the history
  • Loading branch information
agmt authored and thinkerou committed Nov 24, 2021
1 parent fc5d6dd commit 3b555a5
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 20 deletions.
39 changes: 20 additions & 19 deletions context.go
Original file line number Diff line number Diff line change
Expand Up @@ -759,7 +759,7 @@ func (c *Context) ClientIP() string {

if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
for _, headerName := range c.engine.RemoteIPHeaders {
ip, valid := validateHeader(c.requestHeader(headerName))
ip, valid := c.engine.validateHeader(c.requestHeader(headerName))
if valid {
return ip
}
Expand All @@ -768,6 +768,17 @@ func (c *Context) ClientIP() string {
return remoteIP.String()
}

func (e *Engine) isTrustedProxy(ip net.IP) bool {
if e.trustedCIDRs != nil {
for _, cidr := range e.trustedCIDRs {
if cidr.Contains(ip) {
return true
}
}
}
return false
}

// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port).
// It also checks if the remoteIP is a trusted proxy or not.
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
Expand All @@ -782,35 +793,25 @@ func (c *Context) RemoteIP() (net.IP, bool) {
return nil, false
}

if c.engine.trustedCIDRs != nil {
for _, cidr := range c.engine.trustedCIDRs {
if cidr.Contains(remoteIP) {
return remoteIP, true
}
}
}

return remoteIP, false
return remoteIP, c.engine.isTrustedProxy(remoteIP)
}

func validateHeader(header string) (clientIP string, valid bool) {
func (e *Engine) validateHeader(header string) (clientIP string, valid bool) {
if header == "" {
return "", false
}
items := strings.Split(header, ",")
for i, ipStr := range items {
ipStr = strings.TrimSpace(ipStr)
for i := len(items) - 1; i >= 0; i-- {
ipStr := strings.TrimSpace(items[i])
ip := net.ParseIP(ipStr)
if ip == nil {
return "", false
}

// We need to return the first IP in the list, but,
// we should not early return since we need to validate that
// the rest of the header is syntactically valid
if i == 0 {
clientIP = ipStr
valid = true
// X-Forwarded-For is appended by proxy
// Check IPs in reverse order and stop when find untrusted proxy
if (i == 0) || (!e.isTrustedProxy(ip)) {
return ipStr, true
}
}
return
Expand Down
2 changes: 1 addition & 1 deletion context_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1421,7 +1421,7 @@ func TestContextClientIP(t *testing.T) {

// Only trust RemoteAddr
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40"})
assert.Equal(t, "20.20.20.20", c.ClientIP())
assert.Equal(t, "30.30.30.30", c.ClientIP())

// All steps are trusted
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40", "30.30.30.30", "20.20.20.20"})
Expand Down

0 comments on commit 3b555a5

Please sign in to comment.