-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(engine): add trustedproxies and remoteIP #2632
Conversation
Breaks API, but immensely improves security Fixes #2473
… sorenh-sorenh/issue2473
Codecov Report
@@ Coverage Diff @@
## master #2632 +/- ##
==========================================
+ Coverage 98.64% 98.67% +0.03%
==========================================
Files 41 41
Lines 1990 2038 +48
==========================================
+ Hits 1963 2011 +48
Misses 15 15
Partials 12 12
Continue to review full report at Codecov.
|
return ip | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if !cidr.Contains(remoteIP) {
continue
}
for _, headerName := range c.engine.RemoteIPHeaders {
ip, valid := validateHeader(c.requestHeader(headerName))
if valid {
return ip
}
}
suggestion, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored it a little bit, review again... now thee logic is better separated between validating the trusted proxy and parsing the header, also a nw AP
ip, trusted = c.RemoteIP()
allows to even implement your own logic, or trust othe headers that might not be even related with IP!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you expect that HTTP proxy running on c.RemoteIP()
resets X-Forwarded-For
? Because if it appends, then we can't inherit trustiness of c.RemoteIP()
to all other proxies.
Hi Forks, would you like to cut a new release after this PR? |
@RainbowMango we’ll work towards it, as this PR brings some new properties to |
Thanks for your quick response. I'm looking forward to the new release. |
Alright team. Added a new public API called:
this function parsed the remote IP, and checks if it's a trusted proxy OR not. Then clientIP function logic focuses in using this information and parse the appropriated headers. Should help to keep logic separated and easier to test as well as a interesting new API, that can be used by developers to use their own logic and for example "trust" other headers. Thoughts? |
@appleboy we merge the pr and publish v1.7 now? thanks! |
@thinkerou Yes, waiting for the final Travis report. |
Why even have contribution guidelines if you don't follow them yourselves and ignore other people's contributions? |
I mean.. Yeah, sure, that's one way to address a failing test: vs Lines 1431 to 1433 in bfc8ca2
Also, your 230 days of optimization probably haven't yielded the returns you were hoping for: Line 770 in bfc8ca2
|
data race issue: #2674 |
Does CVE-2020-28483 have been fixed in gin V1.7.0 and later? |
Nope. |
Hi guys, thanks for your work. But I meet an issue that ctx.ClientIP() not work cause engine.Run() not called. |
func New() *Engine {
...
engine.trustedCIDRs = []*net.IPNet{{IP: net.IP{0x0, 0x0, 0x0, 0x0}, Mask: net.IPMask{0x0, 0x0, 0x0, 0x0}}}
...
} Should also set default value for trustedCIDRs. |
I need this as well for a use case where I want to shut down the http server nicely; i also don't call Run() and wondered why it wasn't parsing trusted proxies properly... now i see! |
Ahh i'm sorry, seems you already added it in here: superseriousbusiness@b5ca989 nevermind! :) |
This appears to have changed the old behavior, is that correct? I was under the assumption this would be an opt-in change. How can I just trust all proxies? I'm behind cloudfront and trust their proxies but don't have all their ip addresses. |
|
||
// Only trust RemoteAddr | ||
c.engine.TrustedProxies = []string{"40.40.40.40"} | ||
assert.Equal(t, "20.20.20.20", c.ClientIP()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we trust proxy 40.40.40.40
, but not trust 30.30.30.30
(proxy it is or not), then ClientIP should be 30.30.30.30
as 20.20.20.20
was set by somebody untrusted.
Please do not forget that X-Forwarded-For
is appended, so it should be processed right-to-left:
right-most IP address is the IP address of the most recent proxy and the left-most IP address is the IP address of the originating client.
TODO: