Harden forwarded IP parsing for auth throttling

2026-03-02 00:41:58 -05:00
parent 26d6bafce0
commit 873b00e070
2 changed files with 5 additions and 2 deletions
--- a/server/app/server.py
+++ b/server/app/server.py
@@ -481,7 +481,10 @@ class SignalingServer:
        forwarded = str(headers.get("X-Forwarded-For", "")).strip()
        if not forwarded:
            return peer_ip
-        for candidate in forwarded.split(","):
+        # In common reverse-proxy chains, the trusted proxy appends the immediate
        # client IP to the end of X-Forwarded-For. Read right-to-left so a
        # client-supplied left-side value can't spoof throttling/audit identity.
        for candidate in reversed(forwarded.split(",")):
            parsed = SignalingServer._normalized_ip(candidate)
            if parsed:
                return parsed
--- a/server/tests/test_server_message_handling.py
+++ b/server/tests/test_server_message_handling.py
@@ -30,7 +30,7 @@ def test_client_ip_prefers_forwarded_for_from_loopback_proxy() -> None:
        ServerConnection,
        SimpleNamespace(
            remote_address=("127.0.0.1", 12345),
-            request=SimpleNamespace(headers={"X-Forwarded-For": "198.51.100.25, 127.0.0.1"}),
+            request=SimpleNamespace(headers={"X-Forwarded-For": "203.0.113.10, 198.51.100.25"}),
        ),
    )
    client = ClientConnection(websocket=ws, id="u1", nickname="tester")