Fix peer IP tags in Jetty/Dropwizard and Play 2.3/2.4/2.5#11237
Draft
Fix peer IP tags in Jetty/Dropwizard and Play 2.3/2.4/2.5#11237
Conversation
Dropwizard 0.8 runs on Jetty 9.2.9, where jetty-server owns the request span in production. Add jetty-server-9.0 and jetty-server-9.0.4 as test dependencies so the test classpath matches, and update the expected integration name on DropwizardTest accordingly.
smola
added
type: bug
Member
Author
|
@codex review |
Member
Author
|
@cursor review |
Jetty's ForwardedRequestCustomizer (enabled by default in Dropwizard) and Play's RequestHeader#remoteAddress() both return the IP resolved from x-forwarded-for / similar proxy headers. That value is correct for http.client_ip but must not be reported as the actual socket peer (peer.ip, peer.port, network.client.ip). Jetty / Dropwizard (APPSEC-62560): - Read the unwrapped socket address directly from the Jetty channel / endpoint in every JettyDecorator (jetty 7.0, 7.6, 9, 10, 11, 12). - Add jetty-server-9.0 as a testImplementation of dropwizard-0.8 so the test classpath matches production (Jetty owns the server span; Servlet3 skips when it sees the existing context). Update DropwizardTest's expectedIntegrationName to jetty-server. Play 2.3 / 2.4 / 2.5 (APPSEC-62562): - In PlayHttpServerDecorator, wrap the Request handed to super.onRequest with a play.api.mvc.WrappedRequest whose remoteAddress() returns the peer IP already captured on the span by the upstream akka / netty instrumentation. This prevents super.onRequest -> peerHostIP from overwriting the real socket peer with the forwarded value, and keeps IG callbacks consistent. Mirrors the Play 2.6+ behavior already provided by RemoteConnectionWithRawAddress. HttpServerTest: - Tighten PEER_HOST_IPV4 / PEER_HOST_IPV6 assertions on the FORWARDED endpoint to strictly expect the loopback address.
smola
force-pushed
the
smola/dropwizard-peer-ip
branch
from
9e0707c to
3c754f3
Compare
|
Codex Review: Didn't find any major issues. Keep them coming! ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What Does This Do
Jetty's ForwardedRequestCustomizer (enabled by default in Dropwizard) and
Play's RequestHeader#remoteAddress() both return the IP resolved from
x-forwarded-for / similar proxy headers. That value is correct for
http.client_ip but must not be reported as the actual socket peer
(peer.ip, peer.port, network.client.ip).
Jetty / Dropwizard (APPSEC-62560):
endpoint in every JettyDecorator (jetty 7.0, 7.6, 9, 10, 11, 12).
test classpath matches production (Jetty owns the server span; Servlet3
skips when it sees the existing context). Update DropwizardTest's
expectedIntegrationName to jetty-server.
Play 2.3 / 2.4 / 2.5 (APPSEC-62562):
with a play.api.mvc.WrappedRequest whose remoteAddress() returns the
peer IP already captured on the span by the upstream akka / netty
instrumentation. This prevents super.onRequest -> peerHostIP from
overwriting the real socket peer with the forwarded value, and keeps
IG callbacks consistent. Mirrors the Play 2.6+ behavior already
provided by RemoteConnectionWithRawAddress.
HttpServerTest:
endpoint to strictly expect the loopback address.
Motivation
Additional Notes
Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]
Note: Once your PR is ready to merge, add it to the merge queue by commenting
/merge./merge -ccancels the queue request./merge -f --reason "reason"skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.