X-Forwarded-For header is not handled correctly
#4320
Labels
Comments
haines
changed the title
X-Forwarded-For header is not overwritten with updated valueX-Forwarded-For header is not handled correctly
haines
added a commit
to haines/cerbos
that referenced
this issue
May 14, 2024
grpc-ecosystem/grpc-gateway#4320 Signed-off-by: Andrew Haines <haines@cerbos.dev>
haines
added a commit
to haines/cerbos
that referenced
this issue
May 14, 2024
grpc-ecosystem/grpc-gateway#4320 Signed-off-by: Andrew Haines <haines@cerbos.dev>
haines
added a commit
to haines/cerbos
that referenced
this issue
May 14, 2024
grpc-ecosystem/grpc-gateway#4320 Signed-off-by: Andrew Haines <haines@cerbos.dev>
haines
added a commit
to haines/cerbos
that referenced
this issue
May 14, 2024
grpc-ecosystem/grpc-gateway#4320 Signed-off-by: Andrew Haines <haines@cerbos.dev>
haines
added a commit
to cerbos/cerbos
that referenced
this issue
May 14, 2024
This PR primarily aims to work around an issue with `X-Forwarded-For` handling in the gRPC-Gateway (grpc-ecosystem/grpc-gateway#4320). Given a remote IP of 4.4.4.4 sending incoming headers of ``` X-Forwarded-For: 1.1.1.1, 2.2.2.2 X-Forwarded-For: 3.3.3.3 ``` the resulting headers forwarded by the gRPC-gateway are ``` X-Forwarded-For: 1.1.1.1, 2.2.2.2 X-Forwarded-For: 3.3.3.3 X-Forwarded-For: 1.1.1.1, 2.2.2.2, 4.4.4.4 ``` The workaround I have added means that the resulting headers are ``` X-Forwarded-For: 1.1.1.1, 2.2.2.2 X-Forwarded-For: 3.3.3.3 X-Forwarded-For: 4.4.4.4 ``` We now join the values with `", "` rather than `"|"` to preserve the [de-facto standard syntax](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#syntax). This PR also prevents spoofing the remote address in the audit logs by setting the `x-cerbos-http-remote-addr` header; currently we take that header into account even for requests not originating from the gRPC-Gateway where it should be set. Even in the case of requests from the gRPC-Gateway, our header is appended to the request headers, so we need to make sure to use the last value for the header, not the first. Signed-off-by: Andrew Haines <haines@cerbos.dev>
|
Thanks for your bug report! This seems like a clear bug. Would you be willing to help fix this? |
|
Yep, happy to, I'll submit a pull request tomorrow. |
haines
added a commit
to cerbos/cerbos
that referenced
this issue
May 17, 2024
…or` handling (#2157) grpc-ecosystem/grpc-gateway#4320 is now fixed, so we no longer need to rewrite the `X-Forwarded-For` header. Signed-off-by: Andrew Haines <haines@cerbos.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🐛 Bug Report
The remote IP is appended to the
X-Forwarded-Forheader, but the original value is not overwritten, leading to duplication.If multiple
X-Forwarded-Forheaders are present, the remote IP is appended to the first one, when it should be appended to the last one.To Reproduce
Expected behavior
Either
X-Forwarded-Forheader pair using", "as a delimiter, and that pair is replaced; orX-Forwarded-Forpair is appended; orX-Forwarded-Forpairs are merged by joining their values with the delimiter", "and the remote IP is appended.so that the resulting metadata contains either
or
or
Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#parsing
Actual Behavior
With v2.19.1, the resulting metadata has
X-Forwarded-For: []string{"1.2.3.4, 5.6.7.8", "1.2.3.4, 5.6.7.8, ${remoteIP}"}The text was updated successfully, but these errors were encountered: