Gateway: harden trusted proxy X-Forwarded-For parsing (#22429)

2026-05-09 05:37:41 +00:00 · 2026-02-20 23:59:20 -05:00
parent 35be87b09b
commit 07039dc089
3 changed files with 16 additions and 2 deletions
--- a/src/gateway/net.test.ts
+++ b/src/gateway/net.test.ts
@@ -145,12 +145,21 @@ describe("resolveGatewayClientIp", () => {
  it("returns forwarded client IP when the remote is a trusted proxy", () => {
    const ip = resolveGatewayClientIp({
      remoteAddr: "127.0.0.1",
-      forwardedFor: "10.0.0.2, 127.0.0.1",
+      forwardedFor: "127.0.0.1, 10.0.0.2",
      trustedProxies: ["127.0.0.1"],
    });
    expect(ip).toBe("10.0.0.2");
  });

+  it("does not trust the left-most X-Forwarded-For value when behind a trusted proxy", () => {
+    const ip = resolveGatewayClientIp({
+      remoteAddr: "127.0.0.1",
+      forwardedFor: "198.51.100.99, 10.0.0.9, 127.0.0.1",
+      trustedProxies: ["127.0.0.1"],
+    });
+    expect(ip).toBe("127.0.0.1");
+  });
+
  it("fails closed when trusted proxy headers are missing", () => {
    const ip = resolveGatewayClientIp({
      remoteAddr: "127.0.0.1",