Move TrackTrueClientIp middleware into saas engine (#2677)
The True-Client-IP header is set by Cloudflare and is only trustworthy when behind a Cloudflare proxy. In non-Cloudflare deployments, this header is attacker-controlled and can be used to spoof IP addresses. Moving the middleware into the saas engine ensures it only loads for our Cloudflare-fronted production deployment, not for self-hosted OSS instances. GHSA-cpch-9qg2-x8fq
This commit is contained in:
@@ -1,34 +0,0 @@
|
||||
require "test_helper"
|
||||
|
||||
class TrackTrueClientIpTest < ActiveSupport::TestCase
|
||||
setup do
|
||||
@app = ->(env) { [ 200, {}, [ "OK" ] ] }
|
||||
@middleware = TrackTrueClientIp.new(@app)
|
||||
end
|
||||
|
||||
test "sets X-Forwarded-For header when True-Client-IP header is present" do
|
||||
env = { "HTTP_TRUE_CLIENT_IP" => "123.123.123.123" }
|
||||
@middleware.call(env)
|
||||
assert_equal "123.123.123.123", env["HTTP_X_FORWARDED_FOR"]
|
||||
end
|
||||
|
||||
test "does not modify environment when True-Client-IP header is absent" do
|
||||
env = {}
|
||||
@middleware.call(env)
|
||||
assert_nil env["HTTP_X_FORWARDED_FOR"]
|
||||
|
||||
env = { "HTTP_X_FORWARDED_FOR" => "234.234.234.234" }
|
||||
@middleware.call(env)
|
||||
assert_equal "234.234.234.234", env["HTTP_X_FORWARDED_FOR"]
|
||||
end
|
||||
|
||||
test "calls the next middleware in the stack" do
|
||||
called = false
|
||||
app = ->(env) { called = true; [ 200, {}, [ "OK" ] ] }
|
||||
middleware = TrackTrueClientIp.new(app)
|
||||
|
||||
middleware.call({})
|
||||
|
||||
assert called
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user