From d3698f4eb6c6749630284dfb9073cfc07a94415d Mon Sep 17 00:00:00 2001
From: Rain <rainsmacmini@Macmini.local>
Date: Mon, 16 Feb 2026 21:28:24 +0800
Subject: [PATCH] fix(gateway): trim trusted proxy entries before matching

---
 src/gateway/net.test.ts |  8 ++++++++
 src/gateway/net.ts      | 10 +++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/gateway/net.test.ts b/src/gateway/net.test.ts
index f9cddf6f271..722fd7fc7ea 100644
--- a/src/gateway/net.test.ts
+++ b/src/gateway/net.test.ts
@@ -22,6 +22,10 @@ describe("isTrustedProxyAddress", () => {
         true,
       );
     });
+
+    it("ignores surrounding whitespace in exact IP entries", () => {
+      expect(isTrustedProxyAddress("10.0.0.5", [" 10.0.0.5 "])).toBe(true);
+    });
   });
 
   describe("CIDR subnet matching", () => {
@@ -101,6 +105,10 @@ describe("isTrustedProxyAddress", () => {
       expect(isTrustedProxyAddress("10.42.0.59", ["10.42.0.0/-1"])).toBe(false); // negative prefix
       expect(isTrustedProxyAddress("10.42.0.59", ["invalid/24"])).toBe(false); // invalid IP
     });
+
+    it("ignores surrounding whitespace in CIDR entries", () => {
+      expect(isTrustedProxyAddress("10.42.0.59", [" 10.42.0.0/24 "])).toBe(true);
+    });
   });
 });
 
diff --git a/src/gateway/net.ts b/src/gateway/net.ts
index 20f54265169..a96e864605a 100644
--- a/src/gateway/net.ts
+++ b/src/gateway/net.ts
@@ -210,12 +210,16 @@ export function isTrustedProxyAddress(ip: string | undefined, trustedProxies?: s
   }
 
   return trustedProxies.some((proxy) => {
+    const candidate = proxy.trim();
+    if (!candidate) {
+      return false;
+    }
     // Handle CIDR notation
-    if (proxy.includes("/")) {
-      return ipMatchesCIDR(normalized, proxy);
+    if (candidate.includes("/")) {
+      return ipMatchesCIDR(normalized, candidate);
     }
     // Exact IP match
-    return normalizeIp(proxy) === normalized;
+    return normalizeIp(candidate) === normalized;
   });
 }