Move TrackTrueClientIp middleware into saas engine (#2677)

The True-Client-IP header is set by Cloudflare and is only trustworthy
when behind a Cloudflare proxy. In non-Cloudflare deployments, this
header is attacker-controlled and can be used to spoof IP addresses.

Moving the middleware into the saas engine ensures it only loads for our
Cloudflare-fronted production deployment, not for self-hosted OSS
instances.

GHSA-cpch-9qg2-x8fq
This commit is contained in:
Mike Dalessio
2026-03-09 15:14:17 -04:00
committed by GitHub
parent 723c8180b4
commit b6ea558de8
3 changed files with 5 additions and 2 deletions
+5
View File
@@ -1,4 +1,5 @@
require_relative "transaction_pinning"
require_relative "true_client_ip"
require_relative "signup"
require_relative "authorization"
require_relative "gvl_instrumentation"
@@ -61,6 +62,10 @@ module Fizzy
app.config.middleware.insert_after(ActiveRecord::Middleware::DatabaseSelector, TransactionPinning::Middleware)
end
initializer "fizzy_saas.true_client_ip" do |app|
app.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp
end
initializer "fizzy_saas.gvl_instrumentation" do |app|
app.config.middleware.insert_before(Rack::Runtime, GvlInstrumentation)
end
@@ -20,5 +20,3 @@ class TrackTrueClientIp
@app.call(env)
end
end
Rails.application.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp