From 89c35127563a3cb34210fa051c425d1bb04684d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dariusz=20J=C4=99drzejczyk?= Date: Tue, 1 Oct 2024 11:40:05 +0200 Subject: [PATCH] Validating X-Forwarded-Prefix contains a slash --- .../DefaultHttpForwardedHeaderHandler.java | 6 ++++- .../http/server/ConnectionInfoTests.java | 24 +++++++++++++++---- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java b/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java index b9fdb4afeb..259e7a9804 100644 --- a/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java +++ b/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java @@ -138,7 +138,11 @@ private static String parseForwardedPrefix(String prefixHeader) { } prefix.append((endIndex != rawPrefix.length() ? rawPrefix.substring(0, endIndex) : rawPrefix)); } - return prefix.toString(); + String parsedPrefix = prefix.toString(); + if (!parsedPrefix.isEmpty() && DEFAULT_FORWARDED_HEADER_VALIDATION && !parsedPrefix.startsWith("/")) { + throw new IllegalArgumentException("X-Forwarded-Prefix did not start with a slash (\"/\"): " + prefixHeader); + } + return parsedPrefix; } private static String[] tokenizeToStringArray(String str) { diff --git a/reactor-netty-http/src/test/java/reactor/netty/http/server/ConnectionInfoTests.java b/reactor-netty-http/src/test/java/reactor/netty/http/server/ConnectionInfoTests.java index 8de955518f..0bc45f72c4 100644 --- a/reactor-netty-http/src/test/java/reactor/netty/http/server/ConnectionInfoTests.java +++ b/reactor-netty-http/src/test/java/reactor/netty/http/server/ConnectionInfoTests.java @@ -315,14 +315,30 @@ void xForwardedHostPortIncludedAndXForwardedPort(boolean useCustomForwardedHandl void xForwardedPrefix(boolean useCustomForwardedHandler) { testClientRequest( clientRequestHeaders -> { - clientRequestHeaders.add("X-Forwarded-Prefix", "test-prefix"); + clientRequestHeaders.add("X-Forwarded-Prefix", "/test-prefix"); }, serverRequest -> { - Assertions.assertThat(serverRequest.forwardedPrefix()).isEqualTo("test-prefix"); + Assertions.assertThat(serverRequest.forwardedPrefix()).isEqualTo("/test-prefix"); }, useCustomForwardedHandler); } + @Test + void xForwardedPrefixWithoutForwardSlash() { + testClientRequest( + clientRequestHeaders -> { + clientRequestHeaders.add("X-Forwarded-Prefix", "forward-slash-missing"); + }, + serverRequest -> { + + }, + null, + httpClient -> httpClient, + httpServer -> httpServer.port(8080), + false, + true); + } + @ParameterizedTest @CsvSource(value = { "/first,/second | /first/second", @@ -376,7 +392,7 @@ void xForwardedMultipleHeaders(boolean useCustomForwardedHandler) { clientRequestHeaders.add("X-Forwarded-Port", "8081"); clientRequestHeaders.add("X-Forwarded-Proto", "http"); clientRequestHeaders.add("X-Forwarded-Proto", "https"); - clientRequestHeaders.add("X-Forwarded-Prefix", "test-prefix"); + clientRequestHeaders.add("X-Forwarded-Prefix", "/test-prefix"); }, serverRequest -> { Assertions.assertThat(serverRequest.hostAddress().getHostString()).isEqualTo("192.168.0.1"); @@ -384,7 +400,7 @@ void xForwardedMultipleHeaders(boolean useCustomForwardedHandler) { Assertions.assertThat(serverRequest.hostName()).isEqualTo("192.168.0.1"); Assertions.assertThat(serverRequest.hostPort()).isEqualTo(8080); Assertions.assertThat(serverRequest.scheme()).isEqualTo("http"); - Assertions.assertThat(serverRequest.forwardedPrefix()).isEqualTo("test-prefix"); + Assertions.assertThat(serverRequest.forwardedPrefix()).isEqualTo("/test-prefix"); }, useCustomForwardedHandler); }