fix(context): ClientIP handling for multiple X-Forwarded-For header values#4472
fix(context): ClientIP handling for multiple X-Forwarded-For header values#4472appleboy merged 5 commits intogin-gonic:masterfrom Nurysso:master
Conversation
|
Looks good to me! |
|
please rebase or merge with master. this pr is behind |
| engine := New() | ||
|
|
||
| // Set trusted proxies | ||
| engine.SetTrustedProxies([]string{"127.0.0.1"}) |
There was a problem hiding this comment.
| engine.SetTrustedProxies([]string{"127.0.0.1"}) | |
| engine.SetTrustedProxies([]string{localhostIP}) |
|
|
||
| func TestContextClientIPWithSingleHeader(t *testing.T) { | ||
| engine := New() | ||
| engine.SetTrustedProxies([]string{"127.0.0.1"}) |
There was a problem hiding this comment.
| engine.SetTrustedProxies([]string{"127.0.0.1"}) | |
| engine.SetTrustedProxies([]string{localhostIP}) |
done, also regarding the changes you requested with use of localhostIP instead of hardcoded 127.0.0.1 fails the test I wrote should I leave it or do something like this func TestContextClientIPWithSingleHeader(t *testing.T) {
c, _ := CreateTestContext(httptest.NewRecorder())
c.Request, _ = http.NewRequest(http.MethodGet, "/test", nil)
c.Request.Header.Set("X-Forwarded-For", fmt.Sprintf("1.2.3.4, %s", localhostIP))
c.Request.RemoteAddr = fmt.Sprintf("%s:1234", localhostIP)
c.engine.ForwardedByClientIP = true
c.engine.RemoteIPHeaders = []string{"X-Forwarded-For"}
_ = c.engine.SetTrustedProxies([]string{localhostIP})
// Should return 1.2.3.4
assert.Equal(t, "1.2.3.4", c.ClientIP())
}I used AI for this and not sure if this is the best way. |
|
@Nurysso, please take a look at the CI testing failure. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #4472 +/- ##
==========================================
- Coverage 99.21% 98.99% -0.22%
==========================================
Files 42 44 +2
Lines 3182 2988 -194
==========================================
- Hits 3157 2958 -199
- Misses 17 21 +4
- Partials 8 9 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@anfaas1618 Please help review again. |
this is good , you can use this, fmt.Sprintf is discouraged but since its used only for testing its ok to use this way, it will make sure we are correctly and consistently using the consts defined which is easier when writing or updating test cases. |
Okay understood, but in this test golangci-lint fails cause Sprintf. Should i update it to use string concatenation? |
c.Request.Header.Set("X-Forwarded-For", "1.2.3.4, " + localhostIP)
c.Request.RemoteAddr = localhostIP + ":1234"this should be fine here , why |
|
@Nurysso @anfaas1618 Thanks All. |
Description:
This PR addresses the behavior described in issue #4468 by updating how
ClientIPprocesses headers listed inRemoteIPHeaders.When multiple headers with the same name (e.g.
X-Forwarded-For) are present, Gin previously only considered the first header value viaHeader.Get. Per the HTTP specification, such headers must be treated as a single, ordered, comma-separated list.This change joins all header values using
Request.Header.Values(headerName)before validation, ensuring correct client IP resolution in multi-proxy scenarios.Changes:
RemoteIPHeadersbefore passing them tovalidateHeader.Checklist:
masterReferences: