Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RateLimit didn't check if trusted proxy send the header x-forwarded-for #343

Open
thib3113 opened this issue Nov 28, 2023 · 4 comments
Open

Comments

@thib3113
Copy link
Contributor

thib3113 commented Nov 28, 2023

Just found this reading the code :

https://github.com/moleculerjs/moleculer-web/blob/master/src/index.js#L1351C47-L1351C47

let opts = Object.assign({}, {
	window: 60 * 1000,
	limit: 30,
	headers: false,
	key: (req) => {
		return req.headers["x-forwarded-for"] ||
			req.connection.remoteAddress ||
			req.socket.remoteAddress ||
			req.connection.socket.remoteAddress;
	}
}, rateLimit);

getting ip from x-forwarded-for without checking if connection.remoteAddress is a trusted proxy is a security problem .

because I can send the header x-forwarded-for manually .

( not a big problem, but keep in mind that someone can bypass the rate limiter ) .

Also, while headers are lowercase in node.js, this is not the case for all implementations. For example, node.js in AWS Lambda does not convert headers to lowercase.

@icebob
Copy link
Member

icebob commented Dec 17, 2023

What is your proposal?

@thib3113
Copy link
Contributor Author

@icebob in fact ... just let the user the responsibility of getting the ip .

Else, we need to manage trusted proxies, and so parse the x-forwarded-for header, to extract the first "not trusted proxy" . Also, sometimes "trusted proxies" can be a cidr, so, we need to check if the ips come from the cidr .... not an esay task .

Also, I think managing trusted proxies (like express do), can be interesting for moleculer-web … but It's not an easy task

@icebob
Copy link
Member

icebob commented Dec 17, 2023

Ok, but as you see, it's covered, because this logic just a default value, you can overwrite it in rateLimit options.

@thib3113
Copy link
Contributor Author

yes I know for the default value . But if it's only a default value, I think it's better to don't use the header req.headers["x-forwarded-for"] .

Users without reverse proxy will be secure, and user with reverse proxy will need to adapt correctly depending on the reverse proxy configuration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants