fix: don't allow x-forwarded-host header (#2162)

It's a security issue, x-forwarded-host can be retreived from ctx.host when app.config.proxy is true, and be injected to cookie domain.
eggjs · Mar 5, 2018 · 70d5898 · 70d5898
1 parent be618f8
commit 70d5898
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/config/config.default.js b/config/config.default.js
@@ -72,7 +72,7 @@ module.exports = appInfo => {
      * @default
      * @since 1.0.0
      */
-    hostHeaders: 'x-forwarded-host',
+    hostHeaders: '',
 
     /**
      * package.json

diff --git a/test/app/extend/request.test.js b/test/app/extend/request.test.js
@@ -32,10 +32,12 @@ describe('test/app/extend/request.test.js', () => {
         assert(req.host === '');
       });
 
-      it('should return host from X-Forwarded-Host header', function* () {
+      it('should not allow X-Forwarded-Host header', function* () {
+        mm(app.config, 'proxy', true);
         mm(req.header, 'x-forwarded-host', 'foo.com');
+        mm(req.header, 'host', 'bar.com');
         assert(typeof req.host === 'string');
-        assert(req.host === 'foo.com');
+        assert(req.host === 'bar.com');
       });
 
       it('should return host from Host header when proxy=false', function* () {
@@ -45,6 +47,15 @@ describe('test/app/extend/request.test.js', () => {
         assert(typeof req.host === 'string');
         assert(req.host === 'bar.com');
       });
+
+      it('should custom hostHeaders', function* () {
+        mm(app.config, 'proxy', true);
+        mm(app.config, 'hostHeaders', 'x-forwarded-host');
+        mm(req.header, 'x-forwarded-host', 'foo.com');
+        mm(req.header, 'host', 'bar.com');
+        assert(typeof req.host === 'string');
+        assert(req.host === 'foo.com');
+      });
     });
 
     describe('req.hostname', () => {