Move TrackTrueClientIp middleware into saas engine (#2677)
The True-Client-IP header is set by Cloudflare and is only trustworthy when behind a Cloudflare proxy. In non-Cloudflare deployments, this header is attacker-controlled and can be used to spoof IP addresses. Moving the middleware into the saas engine ensures it only loads for our Cloudflare-fronted production deployment, not for self-hosted OSS instances. GHSA-cpch-9qg2-x8fq
This commit is contained in:
@@ -1,4 +1,5 @@
|
|||||||
require_relative "transaction_pinning"
|
require_relative "transaction_pinning"
|
||||||
|
require_relative "true_client_ip"
|
||||||
require_relative "signup"
|
require_relative "signup"
|
||||||
require_relative "authorization"
|
require_relative "authorization"
|
||||||
require_relative "gvl_instrumentation"
|
require_relative "gvl_instrumentation"
|
||||||
@@ -61,6 +62,10 @@ module Fizzy
|
|||||||
app.config.middleware.insert_after(ActiveRecord::Middleware::DatabaseSelector, TransactionPinning::Middleware)
|
app.config.middleware.insert_after(ActiveRecord::Middleware::DatabaseSelector, TransactionPinning::Middleware)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
initializer "fizzy_saas.true_client_ip" do |app|
|
||||||
|
app.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp
|
||||||
|
end
|
||||||
|
|
||||||
initializer "fizzy_saas.gvl_instrumentation" do |app|
|
initializer "fizzy_saas.gvl_instrumentation" do |app|
|
||||||
app.config.middleware.insert_before(Rack::Runtime, GvlInstrumentation)
|
app.config.middleware.insert_before(Rack::Runtime, GvlInstrumentation)
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -20,5 +20,3 @@ class TrackTrueClientIp
|
|||||||
@app.call(env)
|
@app.call(env)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
Rails.application.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp
|
|
||||||
Reference in New Issue
Block a user