github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 13:07:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: clarify strict loopback proxy audit rules

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 11:34:56 +01:00
parent 97eb4af01e
commit c283f87ab0
2 changed files with 32 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
src/security/audit.test.ts
View File

@@ -974,6 +974,20 @@ describe("security audit", () => {
});
it("scores X-Real-IP fallback risk by gateway exposure", async () => {
const trustedProxyCfg = (trustedProxies: string[]): OpenClawConfig => ({
gateway: {
bind: "loopback",
allowRealIpFallback: true,
trustedProxies,
auth: {
mode: "trusted-proxy",
trustedProxy: {
userHeader: "x-forwarded-user",
},
},
},
});
const cases: Array<{
name: string;
cfg: OpenClawConfig;
@@ -1011,36 +1025,22 @@ describe("security audit", () => {
},
{
name: "loopback trusted-proxy with loopback-only proxies",
cfg: {
gateway: {
bind: "loopback",
allowRealIpFallback: true,
trustedProxies: ["127.0.0.1"],
auth: {
mode: "trusted-proxy",
trustedProxy: {
userHeader: "x-forwarded-user",
},
},
},
},
cfg: trustedProxyCfg(["127.0.0.1"]),
expectedSeverity: "warn",
},
{
name: "loopback trusted-proxy with non-loopback proxy range",
cfg: {
gateway: {
bind: "loopback",
allowRealIpFallback: true,
trustedProxies: ["127.0.0.1", "10.0.0.0/8"],
auth: {
mode: "trusted-proxy",
trustedProxy: {
userHeader: "x-forwarded-user",
},
},
},
},
cfg: trustedProxyCfg(["127.0.0.1", "10.0.0.0/8"]),
expectedSeverity: "critical",
},
{
name: "loopback trusted-proxy with 127.0.0.2",
cfg: trustedProxyCfg(["127.0.0.2"]),
expectedSeverity: "critical",
},
{
name: "loopback trusted-proxy with 127.0.0.0/8 range",
cfg: trustedProxyCfg(["127.0.0.0/8"]),
expectedSeverity: "critical",
},
];