Files
fizzy/saas/test/lib/true_client_ip_test.rb
T
Mike Dalessio b6ea558de8 Move TrackTrueClientIp middleware into saas engine (#2677)
The True-Client-IP header is set by Cloudflare and is only trustworthy
when behind a Cloudflare proxy. In non-Cloudflare deployments, this
header is attacker-controlled and can be used to spoof IP addresses.

Moving the middleware into the saas engine ensures it only loads for our
Cloudflare-fronted production deployment, not for self-hosted OSS
instances.

GHSA-cpch-9qg2-x8fq
2026-03-09 15:14:17 -04:00

35 lines
960 B
Ruby

require "test_helper"
class TrackTrueClientIpTest < ActiveSupport::TestCase
setup do
@app = ->(env) { [ 200, {}, [ "OK" ] ] }
@middleware = TrackTrueClientIp.new(@app)
end
test "sets X-Forwarded-For header when True-Client-IP header is present" do
env = { "HTTP_TRUE_CLIENT_IP" => "123.123.123.123" }
@middleware.call(env)
assert_equal "123.123.123.123", env["HTTP_X_FORWARDED_FOR"]
end
test "does not modify environment when True-Client-IP header is absent" do
env = {}
@middleware.call(env)
assert_nil env["HTTP_X_FORWARDED_FOR"]
env = { "HTTP_X_FORWARDED_FOR" => "234.234.234.234" }
@middleware.call(env)
assert_equal "234.234.234.234", env["HTTP_X_FORWARDED_FOR"]
end
test "calls the next middleware in the stack" do
called = false
app = ->(env) { called = true; [ 200, {}, [ "OK" ] ] }
middleware = TrackTrueClientIp.new(app)
middleware.call({})
assert called
end
end