NeilMadden
commented
4 years ago I've just run into this behaviour as well. This is also a potential security issue as trusting the X-Forwarded-* headers when you are not running behind a reverse proxy (or the proxy hasn't been configured to strip these headers from incoming requests) allows the client to spoof their IP address and a whole bunch of other information (including even SSL session IDs and cipher suites in the Jetty implementation). This can at least result in spoofed access logs and in the worst case can result in authorization bypasses if IP-based filtering is being performed.
Trusting these headers should be disabled by default and strictly opt-in.
As part of https://github.com/perwendel/spark/issues/320 support for
X-Forwarded-For(and friends) seems to have been added by virtue of includingForwardedRequestCustomizer.Looks like there's now no way to get to the underlying "real" client IP address and similar. This isn't a massive issue for servers behind a reverse proxy (though might be worth documenting prominently that all the headers in the customizer javadoc need removing by said proxy if set on inbound requests) but for servers standing alone I can't see a way to stop the application potentially receiving spoofed info.
Would it be possible to create separate
request.forwardedIp()/request.connectedIp()methods, or at least a switch to turn off the "behind a proxy" behaviour?Similarly, the support for
X-HTTP-Method-Overridecould be a trap for unwary users trying to restrict certain endpoints by e.g. firewall rules, and should perhaps be an optional extra.