fix: prevent IP check from failing for the proxies including the port…

… in the headers (#738)
ForestAdmin · Jun 10, 2021 · 810d0c1 · 810d0c1
1 parent 6adad56
commit 810d0c1
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -39,6 +39,7 @@
     "forest-ip-utils": "1.0.1",
     "http-errors": "1.7.3",
     "inflected": "2.0.4",
+    "ip-regex": "4.3.0",
     "ipaddr.js": "2.0.0",
     "jsonapi-serializer": "3.6.5",
     "jsonwebtoken": "8.5.1",

diff --git a/src/utils/get-ip-from-request.js b/src/utils/get-ip-from-request.js
@@ -1,13 +1,15 @@
 const ipAddr = require('ipaddr.js');
+const ipRegex = require('ip-regex');
 
 function getIpFromRequest(request) {
   /** @type {string} */
   const forwardedAddresses = request.headers['x-forwarded-for'];
+  const parsedIps = forwardedAddresses?.match(ipRegex());
 
-  if (forwardedAddresses) {
+  if (parsedIps?.length) {
     // If the ip chain contains multiple IPs, the last public IP from the chain is the only
     // one we can trust and it corresponds to real IP that contacted our own reverse proxy
-    return forwardedAddresses.split(',')
+    return parsedIps
       .reverse()
       .map((address) => address.trim())
       .find((address) => ipAddr.parse(address).range() !== 'private');

diff --git a/test/utils/get-ip-from-request.test.js b/test/utils/get-ip-from-request.test.js
@@ -17,6 +17,23 @@ describe('utils > getIpFromRequest', () => {
       expect(getIpFromRequest(request)).toStrictEqual('34.235.48.51');
     });
 
+    it('should not fail with the port in the ip', () => {
+      expect.assertions(1);
+
+      request.headers['x-forwarded-for'] = '10.0.10.117, 34.235.48.51:53465';
+
+      expect(getIpFromRequest(request)).toStrictEqual('34.235.48.51');
+    });
+
+    it('should fallback to remote address if the IP in the header is invalid', () => {
+      expect.assertions(1);
+
+      request.headers['x-forwarded-for'] = '10';
+      request.connection.remoteAddress = '1.2.3.4';
+
+      expect(getIpFromRequest(request)).toStrictEqual('1.2.3.4');
+    });
+
     describe('with a loopback in the header', () => {
       it('should return the loopback', () => {
         expect.assertions(1);

diff --git a/yarn.lock b/yarn.lock
@@ -5511,6 +5511,11 @@ ip-address@^5.8.9:
     lodash "^4.17.15"
     sprintf-js "1.1.2"
 
+[email protected]:
+  version "4.3.0"
+  resolved "https://registry.yarnpkg.com/ip-regex/-/ip-regex-4.3.0.tgz#687275ab0f57fa76978ff8f4dddc8a23d5990db5"
+  integrity sha512-B9ZWJxHHOHUhUjCPrMpLD4xEq35bUTClHM1S6CBU5ixQnkZmwipwgc96vAd7AAGM9TGHvJR+Uss+/Ak6UphK+Q==
+
 ip-regex@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/ip-regex/-/ip-regex-2.1.0.tgz#fa78bf5d2e6913c911ce9f819ee5146bb6d844e9"