From ffa2af62bece5d1fcb665554a29526359f1f2d66 Mon Sep 17 00:00:00 2001
From: NotAShelf <raf@notashelf.dev>
Date: Tue, 10 Mar 2026 08:54:47 +0300
Subject: [PATCH] api/handler: check if each IP in X-Forwarded-For is *not* in
 trusted networks before accepting

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Id54c1584650fcee64de70d1f99e542c16a6a6964
---
 internal/api/handler.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/api/handler.go b/internal/api/handler.go
index fe4298d..83c8e65 100644
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -262,7 +262,10 @@ func (h *IngestionHandler) extractIP(r *http.Request) string {
 		for i := len(ips) - 1; i >= 0; i-- {
 			ip := strings.TrimSpace(ips[i])
 			if testIP := net.ParseIP(ip); testIP != nil {
-				return ip
+				// Only accept this IP if it's NOT from a trusted proxy
+				if !h.ipInNetworks(ip, h.trustedNetworks) {
+					return ip
+				}
 			}
 		}
 	}