fix(express): honor configured trust proxy hop count (#3933)#3936
Conversation
initMiddleware treated config.trust.proxy as a boolean gate then always set Express `trust proxy` to the fully-permissive `true`, discarding the configured value. A configured bounded hop count (e.g. 1) was thrown away, so req.ip resolved from the client-controlled leftmost X-Forwarded-For and the IP-keyed rate limiter (lib/middlewares/rateLimiter.js) could be bypassed by rotating a spoofed header (express-rate-limit ERR_ERL_PERMISSIVE_TRUST_PROXY). Forward the configured value verbatim: booleans still work, and a numeric hop count / subnet is now honored. Adds unit tests asserting the setting resolves to the configured hop count and that the compiled trust fn trusts only the immediate proxy, not a further spoofed hop. Closes #3933 Claude-Session: https://claude.ai/code/session_01V1mhCDsSUnn3WGtevd3YFX
|
Warning Review limit reached
Next review available in: 59 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3936 +/- ##
=======================================
Coverage 92.67% 92.67%
=======================================
Files 169 169
Lines 5546 5546
Branches 1782 1783 +1
=======================================
Hits 5140 5140
Misses 326 326
Partials 80 80
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
Problem
initMiddlewaretreatedconfig.trust.proxyas a boolean gate then always set Expresstrust proxyto fully-permissivetrue, discarding the configured hop count.production.config.jssetstrust.proxy: 1, but that1was thrown away →req.ipderived from the client-controlled leftmostX-Forwarded-For→ the IP-keyed auth rate limiter (login/forgot/signup) is bypassable by rotating a spoofed header (ERR_ERL_PERMISSIVE_TRUST_PROXY).Fix
Forward the configured value:
app.set('trust proxy', config.trust.proxy). A booleantruestill fully-trusts the chain; a numeric hop count like1is now honored soreq.ipresolves to the real socket IP. Falsy values still leave Express at its safe default.Test
Added express trust-proxy unit tests: hop count survives (not collapsed to
true), the compiled fn trusts the immediate proxy but not a further client-controlled hop, booleans still work, falsy leaves the default.Closes #3933
https://claude.ai/code/session_01V1mhCDsSUnn3WGtevd3YFX