ClientIP() using X-Forwarded-For and X-Real-Ip should be opt-in

[wodim]

ClientIP() using X-Forwarded-For and X-Real-Ip by default without any kind of warning is appalling security-wise.

It is trivial for an attacker to spoof any IP address if the app is listening directly on a public port without a reverse proxy or if the reverse proxy is not properly configured. For example, if the reverse proxy is configured to use X-Real-Ip, it will seemingly work correctly, but X-Forwarded-For takes precedence so the remote IP address can still be spoofed.

[billyplus]

There is ForwardedByClientIP bool to check if clientip is forwarded.

r := gin.New()
r.ForwardedByClientIP = false

func (c *Context) ClientIP() string {
	if c.engine.ForwardedByClientIP {
		clientIP := c.requestHeader("X-Forwarded-For")
		clientIP = strings.TrimSpace(strings.Split(clientIP, ",")[0])
		if clientIP == "" {
			clientIP = strings.TrimSpace(c.requestHeader("X-Real-Ip"))
		}
		if clientIP != "" {
			return clientIP
		}
	}

[sorenisanerd]

#2474 helps a bit. It's still opt-out, but you can specify trusted proxies.

[sorenisanerd]

Not fixed, ffs.

gin/gin.go

Lines 161 to 162 in bfc8ca2

	RemoteIPHeaders: []string{"X-Forwarded-For", "X-Real-IP"},
	TrustedProxies: []string{"0.0.0.0/0"},