summaryrefslogtreecommitdiff
path: root/test/spec_request.rb
diff options
context:
space:
mode:
authorJames Tucker <jftucker@gmail.com>2014-07-13 14:49:38 -0700
committerJames Tucker <jftucker@gmail.com>2014-07-13 14:49:38 -0700
commit6c767f4c689a644468dfb2d5fe4d1f698888fd55 (patch)
treebd2ed2f3c0aeb4fc0a904fe2799cace368b05c17 /test/spec_request.rb
parentb3e7a7c3d7c6236efd0b38301bf7aeb43a4c19ee (diff)
parent7a8efc2a270f363b85ce610ad897184d80b7a1d6 (diff)
downloadrack-6c767f4c689a644468dfb2d5fe4d1f698888fd55.tar.gz
Merge pull request #705 from stevehodgkiss/fix_ip_spoofing_vulnerability
Prevent IP spoofing via X-Forwarded-For and Client-IP headers
Diffstat (limited to 'test/spec_request.rb')
-rw-r--r--test/spec_request.rb24
1 files changed, 18 insertions, 6 deletions
diff --git a/test/spec_request.rb b/test/spec_request.rb
index 734eccc3..10394d54 100644
--- a/test/spec_request.rb
+++ b/test/spec_request.rb
@@ -1045,12 +1045,6 @@ EOF
'HTTP_CLIENT_IP' => '1.1.1.1'
res.body.should.equal '1.1.1.1'
- # Spoofing attempt
- res = mock.get '/',
- 'HTTP_X_FORWARDED_FOR' => '1.1.1.1',
- 'HTTP_CLIENT_IP' => '2.2.2.2'
- res.body.should.equal '1.1.1.1'
-
res = mock.get '/', 'HTTP_X_FORWARDED_FOR' => '8.8.8.8, 9.9.9.9'
res.body.should.equal '9.9.9.9'
@@ -1069,6 +1063,24 @@ EOF
res.body.should.equal '3.4.5.6'
end
+ should "not allow IP spoofing via Client-IP and X-Forwarded-For headers" do
+ mock = Rack::MockRequest.new(Rack::Lint.new(ip_app))
+
+ # IP Spoofing attempt:
+ # Client sends X-Forwarded-For: 6.6.6.6
+ # Client-IP: 6.6.6.6
+ # Load balancer adds X-Forwarded-For: 2.2.2.3, 192.168.0.7
+ # App receives: X-Forwarded-For: 6.6.6.6
+ # X-Forwarded-For: 2.2.2.3, 192.168.0.7
+ # Client-IP: 6.6.6.6
+ # Rack env: HTTP_X_FORWARDED_FOR: '6.6.6.6, 2.2.2.3, 192.168.0.7'
+ # HTTP_CLIENT_IP: '6.6.6.6'
+ res = mock.get '/',
+ 'HTTP_X_FORWARDED_FOR' => '6.6.6.6, 2.2.2.3, 192.168.0.7',
+ 'HTTP_CLIENT_IP' => '6.6.6.6'
+ res.body.should.equal '2.2.2.3'
+ end
+
should "regard local addresses as proxies" do
req = Rack::Request.new(Rack::MockRequest.env_for("/"))
req.trusted_proxy?('127.0.0.1').should.equal 0
View Lorry Controller Status