Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consistent formatting of IPv6 host in forwarded header handling #34253

Closed
ZIRAKrezovic opened this issue Jan 13, 2025 · 6 comments
Closed

Consistent formatting of IPv6 host in forwarded header handling #34253

ZIRAKrezovic opened this issue Jan 13, 2025 · 6 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
7.0.0-M2

Comments

@ZIRAKrezovic
Copy link

I have originally submitted the issue to spring-cloud-gateway, so pardon the reproducer name.

In RFC for handling Forwarded and X-Forwarded compatibility [1] and there is an issue when X-Forwarded-For contains an IPv6 as first entry. I could reproduce this only via Cloudfare with an ISP that offers dual IP stack.

The X-Forwarded-For header that is received from Cloudfare when source IP is a real IPv6 is shown below (fully anonymized, of course).

Consider the following

   Note that IPv6 addresses may not be quoted in
   X-Forwarded-For and may not be enclosed by square brackets, but they
   are quoted and enclosed in square brackets in "Forwarded".

       X-Forwarded-For: 192.0.2.43, 2001:db8:cafe::17

   becomes:

       Forwarded: for=192.0.2.43, for="[2001:db8:cafe::17]"

When using X-Forwarded-For header such as

X-Forwarded-For: fd00:fefe:1::4, 192.168.0.1

The org.springframework.web.util.ForwardedHeaderUtils produces an InetHostAddress without square brackets "[]"

{66F73C95-BAB3-496E-832D-AA29E6978B5F}

When using an equivalent Forwarded header, the InetHostAddress is present WITH square brackets "[]"

Forwarded: for="[fd00:fefe:1::4]", for=192.168.0.1

{C54059F1-3CAD-41C3-AC4E-B6CA817AA6E0}

It would be nice if both would return the same format.

Reproducer https://github.com/ZIRAKrezovic/gateway-reproducer

Simply run ./mvnw clean verify

Adjust DemoApplicationSimpleTests to switch between X-Forwarded-For and Forwarded as shown above.

[1] https://datatracker.ietf.org/doc/html/rfc7239#section-7.4
@ZIRAKrezovic ZIRAKrezovic mentioned this issue Jan 13, 2025
Open
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 13, 2025
@bclozel bclozel added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Jan 13, 2025
@rstoyanchev rstoyanchev self-assigned this Jan 13, 2025
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 13, 2025
@rstoyanchev rstoyanchev added this to the 7.0.0-M1 milestone Jan 13, 2025
@rstoyanchev
Copy link
Contributor

We can add the square brackets in the x-forwarded-for case to match the RFC forwarded header syntax.

@rstoyanchev rstoyanchev changed the title Inconsistent X-Forwarded-For and Forwarded header handling for IPv6 source address Consistent formatting of IPv6 host in forwarded header handling Jan 13, 2025
rstoyanchev added a commit that referenced this issue Jan 15, 2025
@rstoyanchev
Fix checkstyle warning
Loading
Loading status checks…
3b1d14a 
See gh-34253
@krezovic
Copy link

Hi @rstoyanchev - I believe only IPv6 should be enclosed within square brackets. This is true for "Forwarded" handling. If you enclose IPv4 within square brackets then it's again inconsistent.

@rstoyanchev rstoyanchev reopened this Jan 27, 2025
@rstoyanchev
Copy link
Contributor

Good point. In that case, we might not be able to do this. I'm not sure there is an easy way to tell them apart.

@krezovic
Copy link

The obvious difference is that IPv6 blocks are separated by colon : rather than dot .

@rstoyanchev rstoyanchev modified the milestones: 7.0.0-M1, 7.0.0-M2 Jan 28, 2025
@rstoyanchev
Copy link
Contributor

I was thinking of an address with a port, but "X-Forwarded-For" is just a host, so it should be an easy check indeed.

@ZIRAKrezovic
Copy link
Author

Even with port, IPv6 will always contain more than one :, and may even contain two ::. But you don't need to validate an IPv6 only to detect it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.0-M2
Development

No branches or pull requests
5 participants
@bclozel @rstoyanchev @spring-projects-issues @krezovic @ZIRAKrezovic