x-forwarded-for header not properly splitting

petio-team / petio

Petio Request, Discover, Review

https://petio.tv

MIT License

251 stars 28 forks source link

x-forwarded-for header not properly splitting #352

Closed RyleaStark closed 3 years ago

RyleaStark commented 3 years ago

Occasionally some proxies can be configured to return multiple ip addresses in the x-forwarded-for header, you should account for the possibility of this scenario by preparing with a split and pop as the list will return as such: xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx

Code reference: https://github.com/petio-team/petio/blob/882605a826dd9c20578ec56037424bf9db22c183/api/app.js#L151

ADRFranklin commented 3 years ago

What are you expecting here? Are you expecting just a prettier way to represent the list of addresses?

Because we don't do any compare of these ip's to validate them against a list of trusted ip's I don't see a reason to do anything else with them. Unless we are deciding to add some securtiy to protect against invalid reversed ip's or something.