sanitize x-forwarded-for header (#7122)

Many proxies (NGINX included) will generate a list of IPs in v4 and
v6 formats.  The forwarded-for library is a well-maintained library for
express that sanitizes, checks, and validates trusted proxy IPs.  This helps
eliminate XSS or other attempts to inject invalid material through the
x-forwarded-for header.

Co-authored-by: Sulka Haro <[email protected]>

lib/api/status.js

@@ -2,6 +2,7 @@
 
 function configure (app, wares, env, ctx) {
   var express = require('express'),
+    forwarded = require('forwarded-for'),
     api = express.Router( )
     ;
 
@@ -21,7 +22,8 @@ function configure (app, wares, env, ctx) {
     var authToken = req.query.token || req.query.secret || '';
 
     function getRemoteIP (req) {
-      return req.headers['x-forwarded-for'] || req.connection.remoteAddress;
+      const address = forwarded(req, req.headers);
+      return address.ip;
     }
 
     var date = new Date();

lib/api3/security.js

@@ -4,11 +4,13 @@ const apiConst = require('./const.json')
   , _ = require('lodash')
   , shiroTrie = require('shiro-trie')
   , opTools = require('./shared/operationTools')
+  , forwarded = require('forwarded-for')
   ;
 
 
 function getRemoteIP (req) {
-  return req.headers['x-forwarded-for'] || req.connection.remoteAddress;
+  const address = forwarded(req, req.headers);
+  return address.ip;
 }
 
 

lib/api3/storageSocket.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const apiConst = require('./const');
+const forwarded = require('forwarded-for');
 
 /**
  * Socket.IO broadcaster of any storage change
@@ -28,7 +29,8 @@ function StorageSocket (app, env, ctx) {
     self.namespace = io.of(NAMESPACE);
     self.namespace.on('connection', function onConnected (socket) {
 
-      const remoteIP = socket.request.headers['x-forwarded-for'] || socket.request.connection.remoteAddress;
+      const address = forwarded(socket.request, socket.request.headers);
+      const remoteIP = address.ip;
       console.log(LOG + 'Connection from client ID: ', socket.client.id, ' IP: ', remoteIP);
 
       socket.on('disconnect', function onDisconnect () {
@@ -142,4 +144,4 @@ function StorageSocket (app, env, ctx) {
   }
 }
 
-module.exports = StorageSocket;
+module.exports = StorageSocket;

lib/authorization/index.js

@@ -6,9 +6,11 @@ const shiroTrie = require('shiro-trie');
 
 const consts = require('./../constants');
 const sleep = require('util').promisify(setTimeout);
+const forwarded = require('forwarded-for');
 
 function getRemoteIP (req) {
-  return req.headers['x-forwarded-for'] || req.connection.remoteAddress;
+  const address = forwarded(req, req.headers);
+  return address.ip;
 }
 
 function init (env, ctx) {

lib/server/websocket.js

@@ -3,6 +3,7 @@
 var times = require('../times');
 var calcData = require('../data/calcdelta');
 var ObjectID = require('mongodb').ObjectID;
+const forwarded = require('forwarded-for');
 
 function init (env, ctx, server) {
 
@@ -127,7 +128,8 @@ function init (env, ctx, server) {
       var timeDiff;
       var history;
 
-      var remoteIP = socket.request.headers['x-forwarded-for'] || socket.request.connection.remoteAddress;
+      const address = forwarded(socket.request, socket.request.headers);
+      const remoteIP = address.ip;
       console.log(LOG_WS + 'Connection from client ID: ', socket.client.id, ' IP: ', remoteIP);
 
       io.emit('clients', ++watchers);

package.json

@@ -98,6 +98,7 @@
     "fast-password-entropy": "^1.1.1",
     "file-loader": "^6.2.0",
     "flot": "^0.8.3",
+    "forwarded-for": "^1.1.0",
     "helmet": "^4.0.0",
     "jquery": "^3.5.1",
     "jquery-ui-bundle": "^1.12.1-migrate",