NotAShelf/watchdog
1
0
Fork 0
mirror of https://github.com/NotAShelf/watchdog.git synced 2026-04-17 07:40:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

api/handler: check if each IP in X-Forwarded-For is *not* in trusted networks before accepting

Browse source 
Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Id54c1584650fcee64de70d1f99e542c16a6a6964
This commit is contained in:
raf 2026-03-10 08:54:47 +03:00
commit ffa2af62be
Signed by: NotAShelf
GPG key ID: 29D95B64378DB4BF
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
internal/api/handler.go
View file

@ -262,10 +262,13 @@ func (h *IngestionHandler) extractIP(r *http.Request) string {
for i := len(ips) - 1; i >= 0; i-- { for i := len(ips) - 1; i >= 0; i-- {
ip := strings.TrimSpace(ips[i]) ip := strings.TrimSpace(ips[i])
if testIP := net.ParseIP(ip); testIP != nil { if testIP := net.ParseIP(ip); testIP != nil {
// Only accept this IP if it's NOT from a trusted proxy
if !h.ipInNetworks(ip, h.trustedNetworks) {
return ip return ip
} }
} }
} }
}
// Check X-Real-IP header // Check X-Real-IP header
if xri := r.Header.Get("X-Real-IP"); xri != "" { if xri := r.Header.Get("X-Real-IP"); xri != "" {