fix: Proxy: do not trust input - always set own value for 'X-Origin-IP' (#354)

bigcat88 · web-flow · commit 1554fc82da65 · 2024-08-07T13:23:16.000+03:00
An external packet received by the proxy can have any value in
'X-Origin-IP' - we can't trust it, it's best to set it on our own

Signed-off-by: Alexander Piskun &lt;bigcat88@icloud.com&gt;
diff --git a/lib/Controller/ExAppProxyController.php b/lib/Controller/ExAppProxyController.php
@@ -255,17 +255,16 @@ private function buildHeadersWithExclude(ExApp $exApp, string $exAppRoute, array
 				break;
 			}
 		}
-		if (empty($headersToExclude)) {
-			return $headers;
+		if (!in_array('x-origin-ip', $headersToExclude)) {
+			$headersToExclude[] = 'x-origin-ip';
 		}
+		$headersToExclude[] = 'authorization-app-api';
 		foreach ($headers as $key => $value) {
 			if (in_array(strtolower($key), $headersToExclude)) {
 				unset($headers[$key]);
 			}
 		}
-		if (!isset($headers['X-Origin-IP'])) {
-			$headers['X-Origin-IP'] = $this->request->getRemoteAddress();
-		}
+		$headers['X-Origin-IP'] = $this->request->getRemoteAddress();
 		return $headers;
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -255,17 +255,16 @@ private function buildHeadersWithExclude(ExApp $exApp, string $exAppRoute, array`
`255`	`255`	`break;`
`256`	`256`	`}`
`257`	`257`	`}`
`258`		`- if (empty($headersToExclude)) {`
`259`		`- return $headers;`
	`258`	`+ if (!in_array('x-origin-ip', $headersToExclude)) {`
	`259`	`+ $headersToExclude[] = 'x-origin-ip';`
`260`	`260`	`}`
	`261`	`+ $headersToExclude[] = 'authorization-app-api';`
`261`	`262`	`foreach ($headers as $key => $value) {`
`262`	`263`	`if (in_array(strtolower($key), $headersToExclude)) {`
`263`	`264`	`unset($headers[$key]);`
`264`	`265`	`}`
`265`	`266`	`}`
`266`		`- if (!isset($headers['X-Origin-IP'])) {`
`267`		`- $headers['X-Origin-IP'] = $this->request->getRemoteAddress();`
`268`		`- }`
	`267`	`+ $headers['X-Origin-IP'] = $this->request->getRemoteAddress();`
`269`	`268`	`return $headers;`
`270`	`269`	`}`
`271`	`270`	`}`