Change ActionDispatch::RemoteIp
to not use HTTP_X_FORWARDED_FOR
when REMOTE_ADDR
is not a trusted proxy
#51610
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation / Background
As pointed out in the documentation, using
RemoteIp
while accessible without a reverse proxy opens you to IP spoofing. ReturningREMOTE_ADDR
when that is not considered a trusted proxy should make that less likely.Detail
The current implementation of
RemoteIp
assumes the Rails server is only directly accessible through a trusted reverse-proxy and requires users to filter the header or remove the middleware when that is not the case.While such misconfigurations are unlikely, it is also somewhat of an unsafe fallback mode, and returning
REMOTE_ADDR
instead of trustingX-Forwarded-For
from an untrusted client should be better.Additional information
In the test suite, there are cases where
REMOTE_ADDR
is unset. I don't know in which real-life situations this could happen, but if it does, the code essentially falls back to the old behavior of trusting the lastX-Forwarded-For
.An alternative might be to raise an error when
REMOTE_ADDR
does not match one of the trusted proxies, as is done whenClient-Ip
andX-Forwarded-For
are mismatched.Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]