Merge pull request #215 from AikidoSec/patch-trust-proxy

willem-delbare · web-flow · commit 99c68217445b · 2024-05-30T18:03:27.000+02:00
Add env var for trusting proxy
diff --git a/docs/proxy.md b/docs/proxy.md
@@ -0,0 +1,3 @@
+# Proxy settings
+
+We'll automatically use the `x-forwarded-for` header to determine the client's IP address when behind a proxy. If you're publicly exposing your server, you may need to set the `AIKIDO_TRUST_PROXY` env var to `false` to ensure that the correct IP address is used. Otherwise, someone could potentially spoof their IP address and thus bypassing the rate limiting.
diff --git a/library/helpers/getIPAddressFromRequest.ts b/library/helpers/getIPAddressFromRequest.ts
@@ -3,7 +3,7 @@ import { isIP } from "net";
 
 export function getIPAddressFromRequest(req: IncomingMessage) {
   if (req.headers) {
-    if (typeof req.headers["x-forwarded-for"] === "string") {
+    if (typeof req.headers["x-forwarded-for"] === "string" && trustProxy()) {
       const xForwardedFor = getClientIpFromXForwardedFor(
         req.headers["x-forwarded-for"]
       );
@@ -48,3 +48,16 @@ function getClientIpFromXForwardedFor(value: string) {
 
   return null;
 }
+
+function trustProxy() {
+  if (!process.env.AIKIDO_TRUST_PROXY) {
+    // Trust proxy by default
+    // Most of the time, the application is behind a reverse proxy
+    return true;
+  }
+
+  return (
+    process.env.AIKIDO_TRUST_PROXY === "1" ||
+    process.env.AIKIDO_TRUST_PROXY === "true"
+  );
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Proxy settings`
	`2`	`+`
	`3`	+We'll automatically use the `x-forwarded-for` header to determine the client's IP address when behind a proxy. If you're publicly exposing your server, you may need to set the `AIKIDO_TRUST_PROXY` env var to `false` to ensure that the correct IP address is used. Otherwise, someone could potentially spoof their IP address and thus bypassing the rate limiting.