From ac9ebb0ee333ce8bf13523f487bdfad9518a2aff Mon Sep 17 00:00:00 2001 From: yhirose Date: Mon, 27 Oct 2025 19:54:12 -0400 Subject: [PATCH] Merge commit from fork * Fix "Untrusted HTTP Header Handling (REMOTE*/LOCAL*)" * Fix "Untrusted HTTP Header Handling (X-Forwarded-For)" * Fix security problems in docker/main.cc --- docker/main.cc | 60 +++++++----- httplib.h | 78 ++++++++++++++- test/test.cc | 260 ++++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 355 insertions(+), 43 deletions(-) Index: b/httplib.h =================================================================== --- a/httplib.h +++ b/httplib.h @@ -1040,6 +1040,8 @@ public: Server & set_header_writer(std::function const &writer); + Server &set_trusted_proxies(const std::vector &proxies); + Server &set_keep_alive_max_count(size_t count); Server &set_keep_alive_timeout(time_t sec); @@ -1078,6 +1080,9 @@ protected: const std::function &setup_request); std::atomic svr_sock_{INVALID_SOCKET}; + + std::vector trusted_proxies_; + size_t keep_alive_max_count_ = CPPHTTPLIB_KEEPALIVE_MAX_COUNT; time_t keep_alive_timeout_sec_ = CPPHTTPLIB_KEEPALIVE_TIMEOUT_SECOND; time_t read_timeout_sec_ = CPPHTTPLIB_SERVER_READ_TIMEOUT_SECOND; @@ -4293,13 +4298,35 @@ inline bool zstd_decompressor::decompres } #endif +inline bool is_prohibited_header_name(const std::string &name) { + using udl::operator""_t; + + switch (str2tag(name)) { + case "REMOTE_ADDR"_t: + case "REMOTE_PORT"_t: + case "LOCAL_ADDR"_t: + case "LOCAL_PORT"_t: return true; + default: return false; + } +} + inline bool has_header(const Headers &headers, const std::string &key) { + if (is_prohibited_header_name(key)) { return false; } return headers.find(key) != headers.end(); } inline const char *get_header_value(const Headers &headers, const std::string &key, const char *def, size_t id) { + if (is_prohibited_header_name(key)) { +#ifndef CPPHTTPLIB_NO_EXCEPTIONS + std::string msg = "Prohibited header name '" + key + "' is specified."; + throw std::invalid_argument(msg); +#else + return ""; +#endif + } + auto rng = headers.equal_range(key); auto it = rng.first; std::advance(it, static_cast(id)); @@ -6622,6 +6649,12 @@ inline Server &Server::set_header_writer return *this; } +inline Server & +Server::set_trusted_proxies(const std::vector &proxies) { + trusted_proxies_ = proxies; + return *this; +} + inline Server &Server::set_keep_alive_max_count(size_t count) { keep_alive_max_count_ = count; return *this; @@ -7376,6 +7409,40 @@ inline bool Server::dispatch_request_for return false; } +inline std::string +get_client_ip(const std::string &x_forwarded_for, + const std::vector &trusted_proxies) { + // X-Forwarded-For is a comma-separated list per RFC 7239 + std::vector ip_list; + detail::split(x_forwarded_for.data(), + x_forwarded_for.data() + x_forwarded_for.size(), ',', + [&](const char *b, const char *e) { + auto r = detail::trim(b, e, 0, static_cast(e - b)); + ip_list.emplace_back(std::string(b + r.first, b + r.second)); + }); + + for (size_t i = 0; i < ip_list.size(); ++i) { + auto ip = ip_list[i]; + + auto is_trusted_proxy = + std::any_of(trusted_proxies.begin(), trusted_proxies.end(), + [&](const std::string &proxy) { return ip == proxy; }); + + if (is_trusted_proxy) { + if (i == 0) { + // If the trusted proxy is the first IP, there's no preceding client IP + return ip; + } else { + // Return the IP immediately before the trusted proxy + return ip_list[i - 1]; + } + } + } + + // If no trusted proxy is found, return the first IP in the list + return ip_list.front(); +} + inline bool Server::process_request(Stream &strm, const std::string &remote_addr, int remote_port, const std::string &local_addr, @@ -7419,15 +7486,16 @@ Server::process_request(Stream &strm, co connection_closed = true; } - req.remote_addr = remote_addr; + if (!trusted_proxies_.empty() && req.has_header("X-Forwarded-For")) { + auto x_forwarded_for = req.get_header_value("X-Forwarded-For"); + req.remote_addr = get_client_ip(x_forwarded_for, trusted_proxies_); + } else { + req.remote_addr = remote_addr; + } req.remote_port = remote_port; - req.set_header("REMOTE_ADDR", req.remote_addr); - req.set_header("REMOTE_PORT", std::to_string(req.remote_port)); req.local_addr = local_addr; req.local_port = local_port; - req.set_header("LOCAL_ADDR", req.local_addr); - req.set_header("LOCAL_PORT", std::to_string(req.local_port)); if (req.has_header("Range")) { const auto &range_header_value = req.get_header_value("Range"); Index: b/test/test.cc =================================================================== --- a/test/test.cc +++ b/test/test.cc @@ -128,7 +128,7 @@ TEST_F(UnixSocketTest, PeerPid) { std::string remote_port_val; svr.Get(pattern_, [&](const httplib::Request &req, httplib::Response &res) { res.set_content(content_, "text/plain"); - remote_port_val = req.get_header_value("REMOTE_PORT"); + remote_port_val = std::to_string(req.remote_port); }); std::thread t{[&] { @@ -2588,21 +2588,20 @@ protected: #endif .Get("/remote_addr", [&](const Request &req, Response &res) { - auto remote_addr = req.headers.find("REMOTE_ADDR")->second; - EXPECT_TRUE(req.has_header("REMOTE_PORT")); - EXPECT_EQ(req.remote_addr, req.get_header_value("REMOTE_ADDR")); - EXPECT_EQ(req.remote_port, - std::stoi(req.get_header_value("REMOTE_PORT"))); - res.set_content(remote_addr.c_str(), "text/plain"); + ASSERT_FALSE(req.has_header("REMOTE_ADDR")); + ASSERT_FALSE(req.has_header("REMOTE_PORT")); + ASSERT_ANY_THROW(req.get_header_value("REMOTE_ADDR")); + ASSERT_ANY_THROW(req.get_header_value("REMOTE_PORT")); + res.set_content(req.remote_addr, "text/plain"); }) .Get("/local_addr", [&](const Request &req, Response &res) { - EXPECT_TRUE(req.has_header("LOCAL_PORT")); - EXPECT_TRUE(req.has_header("LOCAL_ADDR")); - auto local_addr = req.get_header_value("LOCAL_ADDR"); - auto local_port = req.get_header_value("LOCAL_PORT"); - EXPECT_EQ(req.local_addr, local_addr); - EXPECT_EQ(req.local_port, std::stoi(local_port)); + ASSERT_FALSE(req.has_header("LOCAL_ADDR")); + ASSERT_FALSE(req.has_header("LOCAL_PORT")); + ASSERT_ANY_THROW(req.get_header_value("LOCAL_ADDR")); + ASSERT_ANY_THROW(req.get_header_value("LOCAL_PORT")); + auto local_addr = req.local_addr; + auto local_port = std::to_string(req.local_port); res.set_content(local_addr.append(":").append(local_port), "text/plain"); }) @@ -9069,3 +9068,240 @@ TEST(ClientInThreadTest, Issue2068) { t.join(); } } + +TEST(ForwardedHeadersTest, NoProxiesSetting) { + Server svr; + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get("/ip", {{"X-Forwarded-For", "203.0.113.66"}}); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + EXPECT_EQ(observed_xff, "203.0.113.66"); + EXPECT_TRUE(observed_remote_addr == "::1" || observed_remote_addr == "127.0.0.1"); +} + +TEST(ForwardedHeadersTest, NoForwardedHeaders) { + Server svr; + + svr.set_trusted_proxies({"203.0.113.66"}); + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get("/ip"); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + EXPECT_EQ(observed_xff, ""); + EXPECT_TRUE(observed_remote_addr == "::1" || observed_remote_addr == "127.0.0.1"); +} + +TEST(ForwardedHeadersTest, SingleTrustedProxy_UsesIPBeforeTrusted) { + Server svr; + + svr.set_trusted_proxies({"203.0.113.66"}); + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get("/ip", {{"X-Forwarded-For", "198.51.100.23, 203.0.113.66"}}); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + EXPECT_EQ(observed_xff, "198.51.100.23, 203.0.113.66"); + EXPECT_EQ(observed_remote_addr, "198.51.100.23"); +} + +TEST(ForwardedHeadersTest, MultipleTrustedProxies_UsesClientIP) { + Server svr; + + svr.set_trusted_proxies({"203.0.113.66", "192.0.2.45"}); + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get( + "/ip", + {{"X-Forwarded-For", "198.51.100.23, 203.0.113.66, 192.0.2.45"}}); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + EXPECT_EQ(observed_xff, "198.51.100.23, 203.0.113.66, 192.0.2.45"); + EXPECT_EQ(observed_remote_addr, "198.51.100.23"); +} + +TEST(ForwardedHeadersTest, TrustedProxyNotInHeader_UsesFirstFromXFF) { + Server svr; + + svr.set_trusted_proxies({"192.0.2.45"}); + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get("/ip", + {{"X-Forwarded-For", "198.51.100.23, 198.51.100.24"}}); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + EXPECT_EQ(observed_xff, "198.51.100.23, 198.51.100.24"); + EXPECT_EQ(observed_remote_addr, "198.51.100.23"); +} + +TEST(ForwardedHeadersTest, LastHopTrusted_SelectsImmediateLeftIP) { + Server svr; + + svr.set_trusted_proxies({"192.0.2.45"}); + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get( + "/ip", + {{"X-Forwarded-For", "198.51.100.23, 203.0.113.66, 192.0.2.45"}}); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + EXPECT_EQ(observed_xff, "198.51.100.23, 203.0.113.66, 192.0.2.45"); + EXPECT_EQ(observed_remote_addr, "203.0.113.66"); +} + +TEST(ForwardedHeadersTest, HandlesWhitespaceAroundIPs) { + Server svr; + + svr.set_trusted_proxies({"192.0.2.45"}); + + std::string observed_remote_addr; + std::string observed_xff; + + svr.Get("/ip", [&](const Request &req, Response &res) { + observed_remote_addr = req.remote_addr; + observed_xff = req.get_header_value("X-Forwarded-For"); + res.set_content("ok", "text/plain"); + }); + + thread t = thread([&]() { svr.listen(HOST, PORT); }); + auto se = detail::scope_exit([&] { + svr.stop(); + t.join(); + ASSERT_FALSE(svr.is_running()); + }); + + svr.wait_until_ready(); + + Client cli(HOST, PORT); + auto res = cli.Get( + "/ip", + {{"X-Forwarded-For", " 198.51.100.23 , 203.0.113.66 , 192.0.2.45 "}}); + + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + + // Header parser trims surrounding whitespace of the header value + EXPECT_EQ(observed_xff, "198.51.100.23 , 203.0.113.66 , 192.0.2.45"); + EXPECT_EQ(observed_remote_addr, "203.0.113.66"); +}