Merge pull request #215 from AikidoSec/patch-trust-proxy

Add env var for trusting proxy

docs/proxy.md

@@ -0,0 +1,3 @@
+# Proxy settings
+
+We'll automatically use the `x-forwarded-for` header to determine the client's IP address when behind a proxy. If you're publicly exposing your server, you may need to set the `AIKIDO_TRUST_PROXY` env var to `false` to ensure that the correct IP address is used. Otherwise, someone could potentially spoof their IP address and thus bypassing the rate limiting.

library/helpers/getIPAddressFromRequest.ts

@@ -3,7 +3,7 @@ import { isIP } from "net";
 
 export function getIPAddressFromRequest(req: IncomingMessage) {
   if (req.headers) {
-    if (typeof req.headers["x-forwarded-for"] === "string") {
+    if (typeof req.headers["x-forwarded-for"] === "string" && trustProxy()) {
       const xForwardedFor = getClientIpFromXForwardedFor(
         req.headers["x-forwarded-for"]
       );
@@ -48,3 +48,16 @@ function getClientIpFromXForwardedFor(value: string) {
 
   return null;
 }
+
+function trustProxy() {
+  if (!process.env.AIKIDO_TRUST_PROXY) {
+    // Trust proxy by default
+    // Most of the time, the application is behind a reverse proxy
+    return true;
+  }
+
+  return (
+    process.env.AIKIDO_TRUST_PROXY === "1" ||
+    process.env.AIKIDO_TRUST_PROXY === "true"
+  );
+}